# firewall and server services

## noise

Ok.. i have been installing the router for couple days now and i'm getting sleepy  :Smile: 

Firewall (rules) is driving me insane! I just cant get it to work the way i want to. I'v been trying a great deal of scripts but none of them does what i want them to. Then i tryed to wright something my self but since all this is new to me ... well you can figure out the outcome  :Smile: 

I have static IP from my ISP.

My gentoo box is acting like a router. And that i can fix. It's forwarding trafic to my internal network and all ports to internet apear to be closed (stealth). While i can surf around with my internal pc on the internet. Even the internal network is handling packets.. samba and ssh workin like they should. (i'm kinda proud of my self here  :Wink:  first time i'm doing this)

Well let's get to the real problem then...

I need to have apache+php, mysql and ftp 'working' on my router (gentoo).

But since Gentoo is just DROPING all th packets to these ports... and just forwarding \ i find my self without any servers  :Sad: 

I have been flipping, turning around code lines.. editing, deleting.. umm everything! I also searched on forums and google but i cant find something that's working. 

This is the line that i have seen mostly, but it's not working... it just gives me error: iptables: No chain/target/match by that name

here is the code btw:

```

iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 80 -j ACCEPT

```

umm... let's see.. i think that all

If i have forgotten any details just tell me and i'll answer!

Thank you in advance!

//noise

PS. gonna go get some sleep now  :Wink: 

----------

## securiteaze

I often find it easier to spot troublesome rules by starting with something simple and gradually get more complex.

Start with

```
iptables -A INPUT --destination-port 80 -j ACCEPT 
```

then

```
iptables -A INPUT -m state --state NEW --destination-port 80 -j ACCEPT
```

then

```
iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT
```

----------

## noise

Your first 2 lines give me error:

 *Quote:*   

> 
> 
> iptables v1.2.7a: Unknown arg `--destination-port'
> 
> Try `iptables -h' or 'iptables --help' for more information.
> ...

 

and the last line (third) gives me this error (this is also what i have been getting in the past):

 *Quote:*   

> 
> 
> iptables: No chain/target/match/ by that name
> 
> 

 

any mmore ideas on how to open up port 80 on the router (gentoo box)?

----------

## noise

ok.. i have clean out the code and here is what i got:

```

#!/bin/bash

iptables -F;iptables -t nat -F;iptables -t mangle -F

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to [my outside IP]

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A OUTPUT -s [my outside IP] -j DROP

iptables -A OUTPUT -s [ip of the win box] -j DROP

iptables -A INPUT -s [my outside IP] -j DROP

iptables -A INPUT -s [ip of the win box] -j DROP

```

here is what nmap has to say:

 *Quote:*   

> 
> 
> nmap [my outside IP]
> 
> sendto in send_ip_raw: sendto(4, packet, 28, 0, [my outside ip], 16) => Operation not permitted
> ...

 

But i can get out from my Win box without any problems... (like i'm doing now  :Wink: )

But i still need gentoo to have some ports open to outside world(ftp, http, ssh, etc...) Lynx wont even try to connect to internet ("Alert: Unable to connect to remote host").

Any more ideeas ppl? 

Dont forget that "-m state --state.. bla bla" gives me error

Thanx!!!

//noise

----------

## securiteaze

In order to specify a port, you must also specify a protocol.

```
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT 
```

There is another problem, once you allow a www request on port 80, the following rule prevents you from serving your pages. *Quote:*   

> iptables -A OUTPUT -s [my outside IP] -j DROP

 Not sure why you get the error with

```
iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT
```

Perhaps it's because '--state NEW' is practically the same thing as '-p tcp --syn' in this case.

----------

## fyerk

Most likely the last rule is giving an error because "state matching" isn't compiled in. If you compiled the netfilter code as modules, try this command to load it:

```

# modprobe ipt_state

```

In your kernel config look for State Matching (CONFIG_IP_NF_MATCH_STATE)

----------

## noise

OMG!!! You are right edge!!!

To bad i did'nt look here before... but anyway, it's all working now  :Smile: 

In the rc.firewall manual, there is a list of al things required to be compiled in... and i did'nt have 5 of them   :Rolling Eyes: 

Thanx guys!!!

//noise

----------

## Bosnian[X]

 *Quote:*   

>  (i'm kinda proud of my self here, first time i'm doing this) 

 

Hmmm......dude u kind a taking all the credit for my hardwork  :Wink: 

----------

## noise

lol yeah... could'nt do it without my lady  :Wink: 

----------

