I have a strange behavior when I try to access my web server that is listening on port 8011 I did configure iptables to enable this port and its looks like this:
> :INPUT ACCEPT [0:0] :FORWARD ACCEPT
> [0:0] :OUTPUT ACCEPT [844:101801]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 8011 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Im running the server Centos 5.5 on wmware and im trying to access the web server from the same local pc
When I try to access to the web server from witin the Centos with lynx 10.0.0.3:8011
I can access fine to the server .
So does closing the iptable is the only solution ?
You almost have it right. the problem is your packet is never making it back to the INPUT chain because there is a default reject that matches everything that doesn't have an allow at the end of RH-Firewall-1-INPUT.
To break down what is happening in your chain:
Everything in the input interface is going to be processed by RH-Firewall-1-INPUT, we will return here if the packet doesn't get matched by the chain.
These will be processed AFTER RH-Firewall-1-INPUT if and only if there is no match.
You're forward chain also has the RH-Firewall-1-INPUT rules applied
This is some default RH stuff -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited This rule matches ALL packets. and rejects them, since we are matching all packets we never return to the INPUT chain.
You can do a couple of things to fix this. My first suggestion is the one I reccomend to keep things uniform. You would modify the RH-Firewall-1-INPUT chain like so:
You're second option would be to jump after you're input rules. I really don't suggest it since it can lead to some ugly rules, but is a valid solution so i'll put it here:
As your using VMWare the chances are the virtual machines network is different to yours for instance your netmask could be different etc, if you do a ipconfig on the Windows machine and a ifconfig on the centos box and post the results you may get a better answer.