I recently setup some IPTables rules on Zope and for some reason I am being denied access to Zope. I am running zope behind Apache and using VirtualHostMonster together with Apache rewrite rules to make things work. The iptables rules I set up are as follows: iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT Both the output and forward queues are set to accept all. I can get to the ZMI (port 8080) with no problem, but I cannot get to the zope site through Apache (on port 80). Has anyone worked this out before? I have searched the archives and can't find anything on iptables outside of ftp setup... Thanks, Kevin
Kevin Carlson wrote at 2003-9-30 23:25 -0400:
I recently setup some IPTables rules on Zope and for some reason I am being denied access to Zope. I am running zope behind Apache and using VirtualHostMonster together with Apache rewrite rules to make things work. The iptables rules I set up are as follows:
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Both the output and forward queues are set to accept all.
I can get to the ZMI (port 8080) with no problem, but I cannot get to the zope site through Apache (on port 80). Has anyone worked this out before? I have searched the archives and can't find anything on iptables outside of ftp setup...
Can you access Apache on port 80? If so, check Apache proxying to Zope. I prefer Apache "RewriteRules" and they can be logged. Dieter
Dieter Maurer wrote:
Kevin Carlson wrote at 2003-9-30 23:25 -0400:
... The iptables rules I set up are as follows:
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Can you access Apache on port 80?
If so, check Apache proxying to Zope. I prefer Apache "RewriteRules" and they can be logged.
Yes, I can access Apache on port 80. I am using "RewriteRules" and have been looking at the logs and don't see anything odd. I just can't figure out why the iptables rules don't allow me to access sites that should only need port 80 to work. If I remove the first rule above, all works fine which tends to make me think that input through some other port is necessary. Makes no sense to me since I should only need port 80. Anyone out there using IPTables in front of an Apache/Zope configuration? Kevin
Instead of making the default policy DROP, why not keeping the default policy as ACCEPT and explicitly drop all traffic after you allow dport 80 and 8080? Something like: # Create your own chain for dropping and logging # iptables -N DROP_AND_LOG iptables -A DROP_AND_LOG -j LOG --log-level info --log-prefix "FW_UNATH: " iptables -A DROP_AND_LOG -j DROP iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 8080 -j ACCEPT iptables -A INPUT -i $YOUR_ETH_INT -j DROP_AND_LOG where YOUR_IP = your IP address YOUR_ETH_INT = the interface on which 80 and 8080 are listening (e.g. eth0) Let me know if this works for you, Andy. On Wed, 2003-10-01 at 22:17, Kevin Carlson wrote:
Dieter Maurer wrote:
Kevin Carlson wrote at 2003-9-30 23:25 -0400:
... The iptables rules I set up are as follows:
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Can you access Apache on port 80?
If so, check Apache proxying to Zope. I prefer Apache "RewriteRules" and they can be logged.
Yes, I can access Apache on port 80. I am using "RewriteRules" and have been looking at the logs and don't see anything odd. I just can't figure out why the iptables rules don't allow me to access sites that should only need port 80 to work. If I remove the first rule above, all works fine which tends to make me think that input through some other port is necessary. Makes no sense to me since I should only need port 80. Anyone out there using IPTables in front of an Apache/Zope configuration?
Kevin
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) --
Regards, Andrew Rechenberg Infrastructure Team, Sherman Financial Group 513.707.3809
Rechenberg, Andrew wrote:
Instead of making the default policy DROP, why not keeping the default policy as ACCEPT and explicitly drop all traffic after you allow dport 80 and 8080?
This works great! The only issue that I have now is that some of the connections that our application makes to external servers via port 443 get blocked when the outside server wants to send data back in over the same connection. I'm sure this has something to do with iptables state management and allowing ESTABLISHED / RELATED traffic like I've seen for FTP. Overall this was exactly what I was looking for. Thanks!
Something like:
# Create your own chain for dropping and logging # iptables -N DROP_AND_LOG iptables -A DROP_AND_LOG -j LOG --log-level info --log-prefix "FW_UNATH: " iptables -A DROP_AND_LOG -j DROP
iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d $YOUR_IP --dport 8080 -j ACCEPT iptables -A INPUT -i $YOUR_ETH_INT -j DROP_AND_LOG
I am running (or trying to run) Zope behind a shorewall installation that relies on iptables. Looking at tcpdump output, I noticed that the Zope system is generating ICMP packets in addition to the expected tcp packets. I haven't been able to fully decode the ICMP packet to understand the goal, but suspect that you are having the same problem. Jack -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org]On Behalf Of Kevin Carlson Sent: Wednesday, October 01, 2003 7:18 PM To: Dieter Maurer Cc: zope@zope.org Subject: Re: [Zope] IPTables and Zope Dieter Maurer wrote:
... The iptables rules I set up are as follows:
iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
[...] If I remove the first rule above, all works fine which tends to make me think that input through some other port is necessary. [...] Kevin _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (4)
-
Dieter Maurer -
Jack Stephens -
Kevin Carlson -
Rechenberg, Andrew