You are here

iptables and apache proxying

3 posts / 0 new
Last post
sbendis_GL
sbendis_GL's picture
iptables and apache proxying

Greetings everyone!  I am running Opsview Core 3.20131016.0 on CentOS 6.5 with apache proxying enabled as per the setup documentation.  Only when iptables is stopped, can I browse to Opsview on port 80.  I've tried adding "-A INPUT -i lo -j ACCEPT" and "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" but there's no change.  Does anyone have a solution for this?  Thanks!

smarsh
smarsh's picture
Re: iptables and apache proxying

Hi, you need to allow port 3000 in bound - apache proxy translates it from port 3000 to 80.

Best,

Sam

sbendis_GL
sbendis_GL's picture
Re: iptables and apache proxying

Hi Sam,

If I allow inbound port 3000 that would bypass Apache running on port 80 and I would lose the caching that configuration is supposed to provide.  I am able to browse Opsview on both port 80 and 3000 with iptables stopped, so that tells me that Apache's proxying configuration is working on port 80 to 3000, I just needed to know how to tell iptables to let in port 80.

My original attempt with "-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT" didn't work as I wasn't accounting for session state (I'm guessing).  Looking at the default rule for SSH, I solved it with one configuration item added to iptables:

Default CentOS 6.5 iptables config file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Updated CentOS 6.5 iptables config file:

# Generated by iptables-save v1.4.7 on Sun Mar 16 08:20:43 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47:4959]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Mar 16 08:20:43 2014

Thank you very much for your reply.  Cheers!

- S