I have iptables on my CentOS 6.2 machine. Installed and configured apache2 with SSL support and works with iptables disabled.
When i add the following rule:
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
When i save this and restart iptables, the connection in the browser times out... Any suggestions?
full script
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19:1748]
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
You added this rule to the end of your iptables.
If you have a:
before this, the packets are dropped, before evaluating your rule. You should try putting the rule to the top (inserting, not appending):
Also, iptables are applied immediately, so it should work without saving/restarting restarting.
First line: if now rules have been matched yet, reject this packet.
REJECTis a terminal rule, so if it is matched nothing after that is evaluated.Since your
443is after that, it will never be tested. You need to insert your rule in your script above your rejection line.iptables -Iis used for inserting rules on a live table.Instead of using
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPTto put that rule at the end of the INPUT table, you should useiptables -I INPUT 5 -p tcp -m tcp --dport 443 -j ACCEPTto put it before the "REJECT" rule in the INPUT table.There is no need to put it as the first entry in the table, just place that rule above the "REJECT" rule is enough. Also, you may prefer to add the option
-m state --state NEWto your command so that it will only match new connections.