OpenVZ Forum


Home » General » Support » HN iptables blocking http access
HN iptables blocking http access [message #13516] Tue, 29 May 2007 07:08 Go to next message
lurnux is currently offline  lurnux
Messages: 3
Registered: May 2007
Junior Member
Hi,

I've just started using openvz and I'm stuck with HN iptables.

I've installed Centos4 HN according instructions found in wiki.
Now everything works great except http access from every VN, when I try to go to google.com with links or use any kind of http access to anywhere i'll get only "No route to host". After some digging around i found that the requests are stuck in HN iptables rule.

Tcpdump shows:
09:59:05.748720 IP HN > VN: icmp 68: host eh-in-f99.google.com unreachable - admin prohibited
09:59:08.748990 IP VN > eh-in-f99.google.com.http: S 2235774822:2235774822(0) win 5840 <mss 1460,sackOK,timestamp 392992619 0,nop,wscale 2>

In iptables those requests are stuck with the last rule:
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
and I don't know what I should allow to get this one working.

[Updated on: Tue, 29 May 2007 09:24]

Report message to a moderator

Re: HN iptables blocking http acces [message #13518 is a reply to message #13516] Tue, 29 May 2007 07:15 Go to previous messageGo to next message
rickb is currently offline  rickb
Messages: 368
Registered: October 2006
Senior Member
of course your iptables rule is blocking the traffic. what do you want your iptables rule to do?

-------------
Common Terms I post with: http://wiki.openvz.org/Category:Definitions

UBC. Learn it, love it, live it: http://wiki.openvz.org/Proc/user_beancounters

Report message to a moderator

Re: HN iptables blocking http acces [message #13521 is a reply to message #13516] Tue, 29 May 2007 08:22 Go to previous messageGo to next message
lurnux is currently offline  lurnux
Messages: 3
Registered: May 2007
Junior Member
I would like it to allow surfing from all of VN's.

Report message to a moderator

Re: HN iptables blocking http acces [message #13522 is a reply to message #13521] Tue, 29 May 2007 08:28 Go to previous messageGo to next message
rickb is currently offline  rickb
Messages: 368
Registered: October 2006
Senior Member
But your rule is REJECT. Have you tried to remove the rule?

-------------
Common Terms I post with: http://wiki.openvz.org/Category:Definitions

UBC. Learn it, love it, live it: http://wiki.openvz.org/Proc/user_beancounters

Report message to a moderator

Re: HN iptables blocking http acces [message #13523 is a reply to message #13522] Tue, 29 May 2007 08:43 Go to previous messageGo to next message
lurnux is currently offline  lurnux
Messages: 3
Registered: May 2007
Junior Member
Yes and after that it works, however I need something before that
REJECT rule which would allow that www connection.

Report message to a moderator

Re: HN iptables blocking http acces [message #13530 is a reply to message #13522] Tue, 29 May 2007 11:53 Go to previous messageGo to next message
kingneutron is currently offline  kingneutron
Messages: 30
Registered: May 2007
Location: NE IL, USA
Member
Rick, this is much like the "fallthru" ACLs in Squid.

He wants to allow $something-safe, and anything *after* that should by REJECTed by default.

What he needs is how to define $something-safe in iptables, just before the no-no trips to protect his system.

Report message to a moderator

Re: HN iptables blocking http acces [message #13651 is a reply to message #13523] Fri, 01 June 2007 07:24 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Hello,

this is the a very commoin iptables rule to allow http traffic in FORWARD chain. Please, read some iptables guide, e.g. http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWT O_:_Ch14_:_Linux_Firewalls_Using_iptables

HTH,
Vasily.

Report message to a moderator

Re: HN iptables blocking http acces [message #13653 is a reply to message #13530] Fri, 01 June 2007 07:31 Go to previous message
rickb is currently offline  rickb
Messages: 368
Registered: October 2006
Senior Member
yes, agreed. This is how almost every firewall config works. allow a,b,c and disallow d-z. However, if the admin doesn't know what a,b,c are, its not going to work.

so, your question is more of a business logic one, and that is, what services do you want to offer with your vps? Once you know that, create a list of the ports and protocls they use (smtp- 25tcp, dns 53tcp/udp, etc) and create allow rules to pass them through. then, add your reject rule at the end.

bottom line, when you add your reject rule without and allow rules, its like unplugging the network cable. this isn't specific to openvz, its just basic firewall theory.

-------------
Common Terms I post with: http://wiki.openvz.org/Category:Definitions

UBC. Learn it, love it, live it: http://wiki.openvz.org/Proc/user_beancounters

Report message to a moderator

Previous Topic: *SOLVED* disk io with vzdump / vzmigrate
Next Topic: kernel: Oops: 0002 [1] SMP
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue Nov 05 20:07:04 GMT 2024

Total time taken to generate the page: 0.03674 seconds
Powered by FUDforum Powered by Virtuozzo Containers