Results 1 to 2 of 2

Thread: Apache Firewall Script

  1. 11-12-2003, 05:28 AM #1
    rhonneil
    rhonneil is offline
    Associate
    Join Date
    Sep 2003
    Posts
    46

    Apache Firewall Script

    Hi Gurus,

    Anyone here has a working firewall script for Apache Webserver that they can share? Or perhaps, comment on my script?

    I have a script but doesn't allow my clients to access my webserver.

    First here's my initial firewall entries:

    IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

    EXTERNAL_INTERFACE="eth0"
    LOOPBACK_INTERFACE="lo"
    LOCAL_INTERFACE_1="eth1" # Internal LAN interface
    INTRANET="192.168.0.0/16" # Private IP Addr Range
    PRIMARY_NAMESERVER="203.x.x.3"
    SECONDARY_NAMESERVER="203.x.x.4"
    LOOPBACK="127.0.0.0/8"

    Now, here's my firewall rule for apache:

    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    I will appreciate any help.

    Thanks alot!
    Reply With Quote Reply With Quote
  2. 11-12-2003, 02:59 PM #2
    demian
    demian is offline
    Senior Member
    Join Date
    Sep 2002
    Posts
    421

    Re:Apache Firewall Script

    Just to make sure I understand your setup: You're running a firewall on the same machine that acts as webserver and the IP of that machine is $IPADDR.

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 80 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    First: [...] -p tcp ! --syn [...]

    Why did you do that? A packet with the syn flag is the first packet in a tcp/ip handshake that requests a new connection to be established. If you deny these packets (! --syn -j ACCEPT is the same as --syn -j DROP (provided your default policy for the INPUT chain is DROP)) no connections will ever be established.

    Also what's up with your ports? We're talking about a webserver here, right? --source-port 80 should be --destination-port 80

    Third: Are your client sitting on the LAN (and thus access the web server via $LOCAL_INTERFACE) or do they come from the outside?

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    This allows http connections from the webserver to other webservers. Is that what you want?

    Also, what's $UNPRIVPORTS?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. trouble with Apache File Permissions Script
    By Ed McCorduck in forum Programming
    Replies: 13
    Last Post: 03-13-2010, 10:17 AM
  2. Running cusom firewall script -iptables -RHEL 4
    By sud.tech in forum Programming
    Replies: 0
    Last Post: 06-12-2008, 01:09 PM
  3. Firewall script in RHEL 4
    By sud.tech in forum Programming
    Replies: 8
    Last Post: 06-12-2008, 01:07 PM
  4. Simple firewall script
    By modules in forum Security
    Replies: 2
    Last Post: 02-22-2006, 08:39 AM
  5. Does Monmotha's firewall script support logging?
    By 10Dedfish in forum Programming
    Replies: 1
    Last Post: 12-27-2003, 11:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules