Mumia W.. on 15/03/08 18:43, wrote:
On 03/15/2008 08:00 AM, Adam Hardy wrote:
Mumia W.. on 15/03/08 05:25, wrote:
On 03/14/2008 07:22 AM, Adam Hardy wrote:
I'm setting up a server which is a DNS server and broadband gateway
for a small LAN, having two NICs with one connected to the DSL modem.
It's got dnsmasq and iptables. I'm saying that because I think it's
the firewall causing the problem, but I don't know for sure or why.
I am trying to run apache and tomcat servers to serve content and
apps for the internal LAN, and not externally.
Apache runs fine, but tomcat is very slow to load (3 mins) when it
should be 1 or 2 seconds. It is also not possible to shut tomcat
down - it makes the 'tomcat5.5 stop' command hang.
I know tomcat needs ports 8009, 8080 and 8443 by default, and I
studied my iptables script (build by fwbuilder) but it looks fine.
Hopefully this is a common problem, but I've included my iptables
output below just in case.
Thanks for any advice,
Adam
[...]
I'm not a firewalling expert, but I've always found it quite helpful
to allow connections from the localhost to go through the firewall,
e.g.:
/sbin/iptables -A INPUT -i lo -j ACCEPT
Some programs require access to DNS or other local services, and
tomcat may be one of them. I remember Netscape used to do IPC through
TCP/IP connections to localhost.
The first rule I've got is accepts RELATED and ESTABLISHED states for
lo doesn't it? Correct me if 0.0.0.0/0 isn't lo. (or is it the IP
equivalent of 'everything'?)
A bit further down I accept state NEW for the same.
Is there anything more for that?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP 0 -- 86.129.117.158 0.0.0.0/0
DROP 0 -- 192.168.0.2 0.0.0.0/0
DROP 0 -- 192.168.0.0/24 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
Ahh.
Cid46260D13.0 0 -- 192.168.0.0/24 0.0.0.0/0 state
NEW
Cid46260D1E.0 udp -- 0.0.0.0/0 0.0.0.0/0 udp
multiport dports 68,67 state NEW
Cid46260D1E.2 0 -- 0.0.0.0/0 255.255.255.255 state
NEW
Cid46260D34.0 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:53 state NEW
Cid46260D34.0 udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:53 state NEW
ACCEPT 0 -- 192.168.0.0/24 0.0.0.0/0 state NEW
Cid462610E7.1 0 -- 0.0.0.0/0 192.168.0.0/24 state
NEW
DROP 0 -- 0.0.0.0/0 86.129.117.158
DROP 0 -- 0.0.0.0/0 192.168.0.2
DROP 0 -- 0.0.0.0/0 0.0.0.0/0
I didn't see the NEW at first. And yes, 0.0.0.0/0 means to select "any"
IP address. If you wanted to allow the loopback IP address you would do
this:
/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT
However, I've read that selecting the loopback device by its interface
"-i lo" is better for security.
Nonetheless, I can't see why it isn't working. Perhaps change the DROPs
above to REJECTs and see if tomcat fails more quickly. You can also use
the LOG target to get useful messages into the syslog. That should help
you find out to which chains your packets are going before they are
dropped.
I set up my iptables script with fwbuilder, which was great at the time, but
looking at the script it generated, it'll probably take me an hour or two to
decipher what it's doing.
And of course the fwbuilder interface that I used to compile that iptables
script from doesn't give me any clues about what might be wrong, but I'll try
those tips you gave me.
Otherwise I'll ditch fwbuilder and go back to my original iptables script that I
had a couple of years back - although I wish I could remember why I ditched it.
Regards
Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]