Ubuntu French Roast
1) i can't explain you why but it seems that it is the case as i never needed any udp port for http neither saw any iptables rule opening an UDP port for http.
2) You shouldn't need to open any input port for https, these rules are working fine for me. What https website give you problems with these rules ? Give me a link so i can test it on my computer since i use the same rules.
First Cup of Ubuntu
Thank you for your reply.
I can't find the reference now but I think I saw yesterday that https needs udp for some kinds of negotiation - so I now assume that this means http doesn't require it, as you say.Originally Posted by frodon
However, I still don't really understand why http has the bit '-m state --state NEW,ESTABLISHED' rather than '-m tcp'. What other states are being dropped in http that are not being dropped in https?
I haven't got this on an external server yet, but I hope to do so in the next few days. I can confirm that I have had to make both http and https rules into -i rather than -o.
Regards,
Geoff
Ubuntu French Roast
If you are not hosting webserver you shouldn't need to open anything on INPUT packets for http and https the less input ports you allow the better.
You some things to test regarding this as these rules are pretty common and should work without any problem.
Did you modify some parts of the script ?
because the "iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT" should already deal with all these input packets without the need of any additional rule at least for http and https.
Last edited by frodon; February 28th, 2008 at 01:17 PM.
5 Cups of Ubuntu
hi
just wondering..how am i going to intergrate moblock to the script?
Ubuntu French Roast
I don't know, it mainly depends how moblocks set rules. Depending of the apps which motivate you to run moblock you have some other alternatives, many apps have plugins to do blocks these IPs at the apps level like the "safepeer" azureus plugin do.
If Moblock don't play well with this script you can still try ipblock :
http://ubuntuforums.org/showthread.php?t=530183
Anyway if i remember well what users told with my other iptable tutorial for beginners moblock should work if started after the firewall script :
http://ubuntuforums.org/showpost.php...0&postcount=79
5 Cups of Ubuntu
Hi,
Let's say i would like to try another type of firewall for comparison how to completely disable / uninstall this firewall.. My intention just don't want any conflicts on my iptables.
Ubuntu French Roast
If you want to uninstall the scripts you can just delete the created scripts or if you just want to disable it comment all the lines of the /etc/init.d/firewall script and reboot.
First Cup of Ubuntu
My sceniario is a web server using both HTTP and HTTPS, with an SSL login. I've got a reverse proxy running and various other ports in use that I want to protect using iptables. The only inputs and outputs I want are on 22, 80 and 443. I don't want outputs from other ports to get outside, nor to receive traffic on other ports.
The more I think about it, the further from understanding I think I become! So I'll read other resources to get a wider view of iptables. Sorry for my increasing (awareness of) ignorance.
Thank you for your replies.
Regards,
Geoff
Last edited by gegard; March 3rd, 2008 at 01:21 PM.
Ubuntu French Roast
Ha ok you should have told first that you are using http, https servers as in this case you need indeed to open the port as input too.
You should only need to add a line per port to allow input traffic on the 3 ports you use for your server, for https it would be :
Code:iptables -A TRUSTED -i eth0 -p udp -m udp --dport 443 -j ACCEPT
First Cup of Ubuntu
That explains it! Thank you for your help.
Regards,
Geoff
Posting Permissions
Adv Reply
Bookmarks