Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, Can anyone let me know when I use the following config for IP tables I get totally shut out of the machine, my existing ssh sessions are dropped the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2005
    Posts
    9

    iptables ???? at a total loss


    Hi,

    Can anyone let me know when I use the following config for IP tables I get totally shut out of the machine, my existing ssh sessions are dropped the server fails to login as it can't access nfs, im using the following config for iptables:

    Code:
    #default lines created by iptables
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    # Accept all traffic on loopback interfaces
    
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    
    # Accept legitimate responses to traffic we generate.
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Accept portmap inbound
    -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
    -A INPUT -p udp -m udp --dport 111 -j ACCEPT
    
    # Accept nfs inbound
    -A INPUT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 4000:4004 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 4000:4004 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Accept ssh inbound
    -A INPUT -p tcp -m tcp --sport ssh --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Accept smtp outbound
    -A INPUT -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Accept ntp client inbound
    -A INPUT -p udp -m udp --sport 123 -j ACCEPT
    
    # Accept dns inbound/outbound
    -A INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    
    # Accept DHCP inbound
    -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
    
    # Accept gmond for ganglia outbound
    -A INPUT -p tcp --dport 8649 -m state --state NEW -j ACCEPT
    
    # Accept cups outbound
    -A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 515 -m state --state NEW -j ACCEPT
    
    # Accept ICMP pings inbound and outbound
    -A OUTPUT -p icmp -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    
    
    # finally block all other incomming and all outgoing connections
    
    #iptables -A INPUT -j DROP
    #output -A INPUT -j DROP
    
    # always necessary for iptables-restore
    
    COMMIT
    Any help much appreciated.

    Chris

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    While you are allowing traffic in your are blocking all the return traffic..
    You need a OUTPUT rule something like;

    Code:
     -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    avb
    avb is offline
    Just Joined!
    Join Date
    Mar 2011
    Posts
    3
    Sorry to say, but your config looks terrible No idea who did it.

    to fix ssh issue change this:

    -A INPUT -p tcp -m tcp --sport ssh --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

    to:
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

    as sport will never be equal to dport.

    Rest of the rules have mostly same problems.

    BTW, its better to hide ssh on say 2200 port.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •