Linux.com

Ernestv

Ernestv

  • Linux.com Member
  • Posts: 2
  • Member Since: 05 Aug 11
  • Last Logged In: 05 Aug 11

Latest Posts

Posted by
Topic
Post Preview
Posted
  • Ernestv
    RE: iptables is blocking wget [SOLVED]
    Hey thanks, this is just what I was after, thank god for the search features. One of my students was asking me something similar and I've been looking for something to lay it out for him to understand it better and this has done just that, thanks again!:laugh: [b]5slight wrote:[/b] [quote]I got an issue with my linux from scratch system. I have managed to get it all runnning fine with networking and ssh. My problem has come when setting up a firewall with IpTables. This my first time using IpTables as im use to using the simple UFW tool in ubuntu. It was all going well until i tried to use wget. when i try and use wget this is what happens: [code][someone@somewhere:~]# wget http://ftp.mozilla.org/pub/mozilla.org/js/js185-1.0.0.tar.gz --2011-04-02 10:11:30-- http://ftp.mozilla.org/pub/mozilla.org/js/js185-1.0.0.tar.gz Resolving ftp.mozilla.org... 63.245.209.125 Connecting to ftp.mozilla.org|63.245.209.125|:80... [/code] this is my iptables script: [code] # message echo -n ">>Applying firewall rules... " # flush current rules $ip -F $ip -X $ip -Z # Accept packets belonging to established and related connections $ip -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow FTP connections @ port 21 $ip -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $ip -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow Active FTP Connections $ip -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $ip -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Allow Passive FTP Connections $ip -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $ip -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT #Enable DNS $ip -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $ip -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $ip -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $ip -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # Enable SSH $ip -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT $ip -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT # Enable HTTP and HTTPS $ip -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT $ip -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT # Enable PING $ip -A INPUT -p icmp -m icmp -j ACCEPT $ip -A OUTPUT -p icmp -m icmp -j ACCEPT # Default to DROP all $ip -P INPUT DROP $ip -P OUTPUT DROP $ip -P FORWARD DROP #Allow Loop Back $ip -A INPUT -i lo -j ACCEPT $ip -A OUTPUT -o lo -j ACCEPT echo "Done!" [/code] I have checked my kernel configuration and all the nessersery networking bits have been compiled into it. If i set the Pollicy to INPUT ALLOW OUTPUT ALLOW FORWARD DROP wget works then. thanks in advance![/quote]
    Link to this post 06 Aug 11

    Hey thanks, this is just what I was after, thank god for the search features. One of my students was asking me something similar and I've been looking for something to lay it out for him to understand it better and this has done just that, thanks again!:laugh:

    5slight wrote:

    I got an issue with my linux from scratch system. I have managed to get it all runnning fine with networking and ssh. My problem has come when setting up a firewall with IpTables. This my first time using IpTables as im use to using the simple UFW tool in ubuntu.

    It was all going well until i tried to use wget.

    when i try and use wget this is what happens:

    [code][someone@somewhere:~]# wget http://ftp.mozilla.org/pub/mozilla.org/js/js185-1.0.0.tar.gz
    --2011-04-02 10:11:30-- http://ftp.mozilla.org/pub/mozilla.org/js/js185-1.0.0.tar.gz
    Resolving ftp.mozilla.org... 63.245.209.125
    Connecting to ftp.mozilla.org|63.245.209.125|:80... [/code]

    this is my iptables script:
    [code]
    # message
    echo -n ">>Applying firewall rules... "

    # flush current rules
    $ip -F
    $ip -X
    $ip -Z

    # Accept packets belonging to established and related connections
    $ip -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow FTP connections @ port 21
    $ip -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    $ip -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow Active FTP Connections
    $ip -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $ip -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

    # Allow Passive FTP Connections
    $ip -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
    $ip -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT


    #Enable DNS
    $ip -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $ip -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    $ip -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    $ip -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

    # Enable SSH
    $ip -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    $ip -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT

    # Enable HTTP and HTTPS
    $ip -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT

    $ip -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT

    # Enable PING
    $ip -A INPUT -p icmp -m icmp -j ACCEPT
    $ip -A OUTPUT -p icmp -m icmp -j ACCEPT

    # Default to DROP all
    $ip -P INPUT DROP
    $ip -P OUTPUT DROP
    $ip -P FORWARD DROP

    #Allow Loop Back
    $ip -A INPUT -i lo -j ACCEPT
    $ip -A OUTPUT -o lo -j ACCEPT
    echo "Done!"

    [/code]

    I have checked my kernel configuration and all the nessersery networking bits have been compiled into it.

    If i set the Pollicy to
    INPUT ALLOW
    OUTPUT ALLOW
    FORWARD DROP

    wget works then.

    thanks in advance!

  • Ernestv
    RE: How to become a Linux system administrator
    If money and time isn't a barrier, why not surround yourself with as many things as you possibly can relating to Linux? Study on your own whilst doing a fast paced training course, get an online course like the ones CBT Nuggets or Learnkey provide and have a look at any college courses that could benefit you. Make sure you use Linux at home and whenever you feel the need to go back to Windows to do something you dont, stick around and find a solution to all your problems, which, you will have plenty of. Give yourself a set of tasks for administration and do them, research on the forums, google, whatever. It wont be a fast process but you can speed it up by surrounding yourself with it. [b]MatthewFarmer47 wrote:[/b] [quote]I have heard a few suggestions, but I would like a few more. After all it will be quite an investment in time and money. So far I have these: Online school Study on my own Go to college Fast paced training courses (all day for 5 days) My problems with online school is that can they really be trusted and has anyone ever done online school? Is it worth it? When I study on my own there are many things I don't know already and I am becoming very confused. Going to college....I don't drive and there is no college close to me that offers Linux courses. Fast paced training courses sound good, but can someone really retain all that knowledge in that short of time? Keep in mind that I am completely new to this. -Thanks in advance everyone[/quote]
    Link to this post 06 Aug 11

    If money and time isn't a barrier, why not surround yourself with as many things as you possibly can relating to Linux? Study on your own whilst doing a fast paced training course, get an online course like the ones CBT Nuggets or Learnkey provide and have a look at any college courses that could benefit you. Make sure you use Linux at home and whenever you feel the need to go back to Windows to do something you dont, stick around and find a solution to all your problems, which, you will have plenty of.

    Give yourself a set of tasks for administration and do them, research on the forums, google, whatever. It wont be a fast process but you can speed it up by surrounding yourself with it.

    MatthewFarmer47 wrote:

    I have heard a few suggestions, but I would like a few more. After all it will be quite an investment in time and money.
    So far I have these:

    Online school
    Study on my own
    Go to college
    Fast paced training courses (all day for 5 days)

    My problems with online school is that can they really be trusted and has anyone ever done online school? Is it worth it?

    When I study on my own there are many things I don't know already and I am becoming very confused.

    Going to college....I don't drive and there is no college close to me that offers Linux courses.

    Fast paced training courses sound good, but can someone really retain all that knowledge in that short of time?

    Keep in mind that I am completely new to this.

    -Thanks in advance everyone

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board