Doubt with iptables

Issues related to configuring your network
gbernabe
Posts: 1
Joined: 2017/09/30 15:08:02

Doubt with iptables

Postby gbernabe » 2017/09/30 15:16:52

I'm testing a centos 6.9 SO in a VPS and I install apache and then, when I try to access to port 80, I can't access. I review the firewall and see this:

# Generated by iptables-save v1.4.7 on Sat Sep 30 01:33:06 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:1972]

After doing some tests, I detect that the problem is [7:1972]

Somebody know what it is?

User avatar
TrevorH
Forum Moderator
Posts: 21174
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Doubt with iptables

Postby TrevorH » 2017/09/30 18:33:29

Your diagnosis is wrong: those numbers are packet and byte counters. Otherwise you have no firewall at all and everything is wide open.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

northpoint
Posts: 48
Joined: 2016/05/23 11:57:12

Re: Doubt with iptables

Postby northpoint » 2017/09/30 22:29:54

gbernabe wrote:I'm testing a centos 6.9 SO in a VPS and I install apache and then, when I try to access to port 80, I can't access. I review the firewall and see this:

# Generated by iptables-save v1.4.7 on Sat Sep 30 01:33:06 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:1972]

After doing some tests, I detect that the problem is [7:1972]

Somebody know what it is?


Is Apache even listening on port 80?

Install nmap and run it on the VM'ed server and see what ports are active. Look for port 80.

Did you specify which port to listen too and the interface in the apache config file?

Post your output of nmap and also take a look at your config file for apache.
Ryzen x1800 * Asus x370 Pro * CentOS 7.4 64bit / Icewarp /

Whoever
Posts: 964
Joined: 2013/09/06 03:12:10

Re: Doubt with iptables

Postby Whoever » 2017/10/03 03:34:07

No need to install nmap.

Code: Select all

netstat -avpn | grep httpd


will show what ports httpd is listening on.

DanielLeeP
Posts: 8
Joined: 2017/10/02 06:16:50

Re: Doubt with iptables

Postby DanielLeeP » 2017/10/03 21:11:52

Personally i think running a website out of the root user in my opinion is bad practice it is always better to have apache serve websites on a per user directory basis
Enable the userdir module and set the directory from public_html to www or whatever you want to call it

Then
chmod 711 /home/*
chgrp apache /home/*/www
chmod 750 /home/*/www
chmod g+s /home/*/www

This will set it to where if you have another user account on the server it will serve from the specified Virtual Hosts web directory and you can even set it to serve the main web directory from a different account by setting the main ip in the Virtual host. personally i think this is more secure then serving it straight from the root directory any files uploaded to the web directory will automatically be assigned to apache so it can be served so basically just upload and go :D

Then you have to allow The port for the website using
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

service iptables save

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

is what i have mine set too


DanielLeeP
Posts: 8
Joined: 2017/10/02 06:16:50

Re: Doubt with iptables

Postby DanielLeeP » 2017/10/03 21:30:49

As for the Virtual host that bit is easy

cd /etc/httpd/conf/
nano httpd.conf

go to the bottom where it says Virtual host
<VirtualHost 0.0.0.0:80>
ServerAdmin Webmaster email address
DocumentRoot /home/user/www
ServerName domain.serving.from
ErrorLog /home/user/www/logs/error.log
CustomLog /home/user/www/logs/access.log common
</VirtualHost>

Replace 0.0.0.0 witht eh main ip of the server
and replace "user" with the user account you wish to serve the website from
and ServerAdmin would be Webmaster@yourdomain.com Or whatever you want the email to be

Then save and restart httpd

Remember to comment out userdir disabled and change it from public_html to whatever you want to serve it from

not saying this is how you should do it just giving you some helpful advice and this would make it much easier in the long run if you wanted to manage more than one website at a time if your server has more than 1 ip and you have more than one user account on the server.