Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, Can anyone let me know when I use the following config for IP tables I get totally shut out of the machine, my existing ssh sessions are dropped the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 02-24-2011 #1
    chris5126
    chris5126 is offline
    Just Joined!
    Join Date
    Oct 2005
    Posts
    9

    iptables ???? at a total loss

    Hi,

    Can anyone let me know when I use the following config for IP tables I get totally shut out of the machine, my existing ssh sessions are dropped the server fails to login as it can't access nfs, im using the following config for iptables:

    Code:
    #default lines created by iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Accept all traffic on loopback interfaces

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Accept legitimate responses to traffic we generate.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept portmap inbound
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT

# Accept nfs inbound
-A INPUT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4000:4004 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 4000:4004 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept ssh inbound
-A INPUT -p tcp -m tcp --sport ssh --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept smtp outbound
-A INPUT -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept ntp client inbound
-A INPUT -p udp -m udp --sport 123 -j ACCEPT

# Accept dns inbound/outbound
-A INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

# Accept DHCP inbound
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# Accept gmond for ganglia outbound
-A INPUT -p tcp --dport 8649 -m state --state NEW -j ACCEPT

# Accept cups outbound
-A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 515 -m state --state NEW -j ACCEPT

# Accept ICMP pings inbound and outbound
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -p icmp -j ACCEPT


# finally block all other incomming and all outgoing connections

#iptables -A INPUT -j DROP
#output -A INPUT -j DROP

# always necessary for iptables-restore

COMMIT
    Any help much appreciated.

    Chris
    Reply With Quote Reply With Quote
  2. 02-24-2011 #2
    Lazydog
    Lazydog is offline
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,629
    While you are allowing traffic in your are blocking all the return traffic..
    You need a OUTPUT rule something like;

    Code:
     -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted
    Reply With Quote Reply With Quote
  3. 03-04-2011 #3
    avb
    avb is offline
    Just Joined!
    Join Date
    Mar 2011
    Posts
    3
    Sorry to say, but your config looks terrible No idea who did it.

    to fix ssh issue change this:

    -A INPUT -p tcp -m tcp --sport ssh --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

    to:
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

    as sport will never be equal to dport.

    Rest of the rules have mostly same problems.

    BTW, its better to hide ssh on say 2200 port.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules