From chh123, 1 Year ago, written in Plain Text.
  1. # Trying to set up Apache on my server that hosts an OpenVPN server already. When I delete all the rules I can access the webserver. What am I doing wrong here? Port 80 is open in INPUT/OUTPUT and the connection is not encrypted. Kernellog at the bottom.
  2.  
  3.  
  4. *filter
  5. :INPUT ACCEPT [0:0]
  6. :FORWARD ACCEPT [0:0]
  7. :OUTPUT ACCEPT [0:0]
  8. -A INPUT -i lo -j ACCEPT
  9. -A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
  10. -A INPUT -i ens3 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
  11. -A INPUT -i ens3 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
  12. -A INPUT -i ens3 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
  13. -A INPUT -i ens3 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
  14. -A INPUT -i ens3 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
  15. -A INPUT -i ens3 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
  16. -A INPUT -i ens3 -p udp -m state --state ESTABLISHED -m udp --sport 123 -j ACCEPT
  17. -A INPUT -i tun0 -j ACCEPT
  18. -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
  19. -A INPUT -j REJECT --reject-with icmp-port-unreachable
  20. -A FORWARD -i tun0 -j ACCEPT
  21. -A FORWARD -s 10.8.0.0/24 -i tun0 -o ens3 -j ACCEPT
  22. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  23. -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
  24. -A FORWARD -j REJECT --reject-with icmp-port-unreachable
  25. -A OUTPUT -o lo -j ACCEPT
  26. -A OUTPUT -o ens3 -p tcp -m state --state ESTABLISHED -m tcp --sport 22 -j ACCEPT
  27. -A OUTPUT -o ens3 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
  28. -A OUTPUT -o ens3 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
  29. -A OUTPUT -o ens3 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
  30. -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  31. -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
  32. -A OUTPUT -o ens3 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
  33. -A OUTPUT -o ens3 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
  34. -A OUTPUT -o ens3 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 123 -j ACCEPT
  35. -A OUTPUT -o tun0 -j ACCEPT
  36. -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
  37. -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
  38. COMMIT
  39.  
  40. kern.log
  41. Sep 30 11:53:09 vps205606 kernel: [12810.116698] iptables_INPUT_denied: IN=ens3 OUT= MAC=fa:16:4e:a6:ee:12:26:88:4c:53:56:b9:08:00 SRC=MY_INET_IP DST=SERVER_IP LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=553 DF PROTO=TCP SPT=35015 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
  42. Sep 30 11:53:09 vps205606 kernel: [12810.120529] iptables_OUTPUT_denied: IN= OUT=ens3 SRC=SERVER_IP DST=MY_INET_IP LEN=80 TOS=0x00 PREC=0xC0 TTL=64 ID=293 PROTO=ICMP TYPE=3 CODE=3 [SRC=x DST=x LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=553 DF PRO
captcha