Problem with iptables. Access to http and https.

Discussion in 'Linux Networking' started by Paulo da Silva, Oct 5, 2015.

  1. Hi!

    I am using, for long time, fwbuilder to build my firewalls.

    Now I wanted to allow http and https accesses to one of my computers.
    So, I set this on fwbuilder and here are the last two rules it generated:

    # RULE 7
    $IPTABLES -A FORWARD -i + -p tcp -m tcp -m multiport -d
    --dports 80,443 -m state --state NEW -j ACCEPT

    I also tried (using both directions instead of inbound):
    $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -d
    --dports 80,443 -m state --state NEW -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d
    --dports 80,443 -m state --state NEW -j ACCEPT

    RULE 8 denies everything.

    When I try to access using my browser dmesg reports this:
    [ 6672.650597] RULE 8 -- DENY IN=eth0 OUT= MAC=...:... SRC=
    DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56306 DF PROTO=TCP
    SPT=40460 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0

    Does anybody know what can be wrong with this?

    Paulo da Silva, Oct 5, 2015
    1. Advertisements

  2. Às 14:22 de 07-10-2015, Joe Beanfish escreveu:
    I think the problem has somehow to do with -d This ip
    address is unnecessary because it is the address of the machine itself.
    So I just "told" fwbuilder to allow for inbound from and to local
    network and outbound from local network to the "world" (to allow
    browsing of external world).
    Now everything is working fine although I still don't understand why it
    didn't before.

    Thanks anyway for responding.
    Paulo da Silva, Oct 8, 2015
    1. Advertisements

  3. Paulo da Silva a écrit :
    The proper chain for incoming packets is INPUT, not FORWARD nor OUTPUT.
    Pascal Hambourg, Oct 10, 2015
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.