Hi Joan, On Thursday 07 June 2007 14:51:51 Joan Hérisson wrote: > Hello, > > Config: > - Debian 2.4.18
This is very old. For security and better features, you'd be best to upgrade to a more recent version of Debian, with a more recent kernel. > - iptables with many rules Without understanding those rules, you're unlikely to get it working. IPTables is pretty simple when you take time to understand it -- it's literally just a list of tests, and things to do if that test has a positive result. Well, lists (tables) can have other lists/tables, but that's not really any more complex. > Problems: > - I have installed a tomcat 5.5 server. The server is > unreachable > (connection failed from locahost or another host on my local network). This suggests that the server isn't yet up and running. Sometimes, installing things on debian means they will just work. Other times, you have to configure the thing and enable it. I've never really bothered with tomcat, but given that it's java-based, and fairly heavyweight, I'd expect you have to do some configuration before it'll run. Try reading /usr/share/doc/tomcat*/README.Debian. Also, make sure that the server is actually running on port 8080, and that it's listening on the correct IPs/interfaces. > Tries: > - I have to open port 8080. I have this rule in > /etc/init.d.firewal- > start : > "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 > --dport 80 > -j allowed" Appending rules to "many iptables rules" isn't likely to work, if your rules end with something that denies all unknown traffic. You really should try to understand your firewall before adding anything to it. Having said that, I've been guilty of not taking enough time for things like that, too :) > "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 > --dport > 8080 -j allowed" As someone else mentioned, this should probably be -j ACCEPT > Results: > - The server is still unreachable. Are you actually seeing an error that says "unreachable"? That suggests a routing problem, or a prohibitive firewall rule before the one you added. > - When I do nmap localhost, I have port 80 open but not 8080. > - When I comment out the line for port 80 in firewall-start and > I > restart firewall, I do nmap localhost, port 80 is still open. Your firewall script is broken. Again, as others suggested, I'd say start from scratch -- either with IPTables (if you have the time to understand it) or with a simpler/higher-level interface, like firehol, or shorewall. Remember not to test firewall rules for external interfaces through localhost -- use, at least, the ip of the interface in question. Ideally, test from the machine you actually need access to be provided for. Good luck :) -- Lee Braiden http://peacejournals.org "Those who check rising anger as a charioteer checks a rolling chariot... those, I call true charioteers. Others only hold the reins." -- Dhammapada, verse 222
