CentOSにApache httpdをいれたらiptablesに弾かれたでござる。
起動
# /etc/init.d/httpd start httpd を起動中: [ OK ] # ps aux|grep httpd
プロセスがちゃんと動いていたらおk。
何故彼は繋がろうとしないのか。
$ ping centos01 PING centos01 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.536 ms ・ ・
いけてるのでtelnet
$ telnet centos01 80 Trying 192.168.1.1... telnet: connect to address 192.168.1.1: Connection refused telnet: Unable to connect to remote host
おっ。弾かれている。
tracerouteは?
$ traceroute centos01 traceroute to centos01 (192.168.1.1), 64 hops max, 52 byte packets 1 centos01 (192.168.1.1) 0.502 ms !Z 0.105 ms !Z 0.193 ms !Z
いけてるっぽい。
ぐぐってみたらFWくさい。
# /sbin/iptables -L --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT icmp -- anywhere anywhere icmp any 3 ACCEPT esp -- anywhere anywhere 4 ACCEPT ah -- anywhere anywhere 5 ACCEPT udp -- anywhere XXX.XXX.XXX.XXX udp dpt:mdns 6 ACCEPT udp -- anywhere anywhere udp dpt:ipp 7 ACCEPT tcp -- anywhere anywhere tcp dpt:ipp 8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 9 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 10 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
RH-Firewall-1-INPUTのREJECTの前にhttpとhttpsを入れればいいのかな?
# /sbin/iptables -I RH-Firewall-1-INPUT 10 -p tcp --dport https -j ACCEPT # /sbin/iptables -I RH-Firewall-1-INPUT 10 -p tcp --dport http -j ACCEPT # /sbin/iptables -L --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT icmp -- anywhere anywhere icmp any 3 ACCEPT esp -- anywhere anywhere 4 ACCEPT ah -- anywhere anywhere 5 ACCEPT udp -- anywhere XXX.XXX.XXX.XXX udp dpt:mdns 6 ACCEPT udp -- anywhere anywhere udp dpt:ipp 7 ACCEPT tcp -- anywhere anywhere tcp dpt:ipp 8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 9 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 10 ACCEPT tcp -- anywhere anywhere tcp dpt:http 11 ACCEPT tcp -- anywhere anywhere tcp dpt:https 12 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
追加したら保存。
# /sbin/service iptables save ファイアウォールのルールを /etc/sysconfig/iptables に保存中[ OK ]
いけてるかなー?
$ telnet centos01 80 Trying 192.168.1.1... Connected to centos01. Escape character is '^]'. ] <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>] to / not supported.<br /> </p> <hr> <address>Apache/2.2.3 (CentOS) Server at localhost.localdomain Port 80</address> </body></html> Connection closed by foreign host.