[Sluglug] Apache Server on Resnet

cerise at armory.com cerise at armory.com
Wed Oct 19 14:00:23 PDT 2005 

On Wed, Oct 19, 2005 at 12:15:51PM -0700, Erich wrote:
> Hello again,
> 
>  I've got DynDNS running as per all of your kind suggestions. I even have
> the apache server up and running - you can check out the horribly, horribly
> under construction site at http://timothytoo.dyndns.org right now if you're
> on ResNet.
> 
>  Originally, I asked to be able to serve a web page only over ResNet - and
> that's what I got. But I've broadened my horizons. I want to go global with
> this page. What are my options? The server is currently set to "Listen 80",
> and the server name is set to timothy.dyndns.org. Someone suggested using
> https on point 443 - I could do that, but I have absolutely no idea how to
> set up an https server. Getting the standard set up took me a solid day of
> frustrated google'ing, but maybe it's not that much more difficult to go the
> extra step. And if it's the only way, then it's the only way.

   I thought https might work, but it won't.  I nmapped your IP.  That tells me
that most ports are filtered.  The only open port <8080 is ssh at port 22.
   BTW, you probably already have https set up.  All you should have to do if
not is load mod_ssl.
 
>  Also, and this is kind of scary to even admit this over any sort of online
> communication (but safer than asking on IRC)... I'm having trouble setting
> up iptables. The default conf for the program seems to be very, very
> strange, and when I added the lines I saw on an online tutorial of how to
> set it up, the program failed to load. Basically, I want iptables to allow
> port 80 (or maybe 443 if I end up going with that), 22 for ssh, I want to be
> able to ping it, and I want to be able to play a few online games I have -
> one of which requires UDP and TCP protocol on the same port. Everything else
> can be blocked, as far as I'm concerned. Well, I need one port for
> bittorrent, for when I do that. 6881, that is, isn't it?
   
   About 5 years ago, I too was ignorant of iptables, so I understand the
predicament.

   I believe this line will do:

iptables -A INPUT -j REJECT -p tcp -i eth0 --dport 1:21 --reject-with icmp-net-unreachable

   This line can be duplicated with the range of 1-21 set to whichever you 
need.  You can also put a single port in.  e.g:

iptables -A INPUT -j REJECT -p tcp -i eth0 --dport 1:21 --reject-with icmp-net-unreachable

   Those will only block tcp (the -p specifies protocol).  If you wanted to
block everything else, then:

iptables -A INPUT -j REJECT -p ! tcp -i eth0 --dport 1:1024 --reject-with icmp-net-unreachable

   will block everything from 1-1024 which isn't over tcp.

-Phil/CERisE

More information about the Sluglug mailing list