Find the answer to your Linux question:
Results 1 to 4 of 4
With the following iptable rules, I was unable to do an apt update and ping a website. Whats wrong with the rules? How to fix it? What is the exact ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2012
    Posts
    18

    How to unblock outgoing HTTP and HTTPS traffic in iptables?


    With the following iptable rules, I was unable to do an apt update and ping a website. Whats wrong with the rules? How to fix it? What is the exact rule to fix it?

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:325 
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

  2. #2
    Linux Newbie
    Join Date
    Jun 2012
    Location
    SF Bay area
    Posts
    192
    If I'm interpreting that list right (which I assume is the complete set listed by "iptables --list") then your system will send anything, forward anything, but will only accept incoming packet to port 325. Any other inbound packet are dropped. I'm not sure what sort of access you want to allow the server, or what access you want to grant external systems. It sounds like a very, very specialized configuration to me. So I don't know if you're open to the following changes or not, but maybe this will still help?

    The other thing that seems is is that there's no rule telling the system it's OK to accept packets on the loopback interface. So I think that "DROP" rule will kill loopback traffic as well?

    Having noted that I really don't understand your system, I would suggest making the following changes. Only you can tell if they make sense in the context of what you're trying to do with the system in question.

    1. disable forwarding with the default Fedora rule my system came with, meaning
    Code:
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    2. change the "DROP" rule in the INPUT chain to also "REJECT" as per the same default behavior
    Code:
    iptables -R INPUT 2 -j REJECT --reject-with icmp-host-prohibited
    3. add a rule letting the system accept packet associated with existing connections and connections related to existing connections (again, this is default on my FC17 box). If you drop the "RELATED," but most things will probably still work, just not protocols like FTP that create secondary connections.
    Code:
    iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
    Then I'd recommend checking the setup with the following commands to make sure the config is sane. THe "-n" just shows the rules numbers and "-v" shows extra info, like what interface is associated with the rule.

    Code:
    iptables -n -v --list
    iptables --list-rules
    Last edited by cnamejj; 11-09-2012 at 08:57 AM. Reason: grammar mistake, forgot to close parens, grrr...

  3. #3
    Just Joined!
    Join Date
    Nov 2012
    Posts
    2
    Quote Originally Posted by cnamejj View Post
    If I'm interpreting that list right (which I assume is the complete set listed by "iptables --list") then your system will send anything, forward anything, but will only accept incoming packet to port 325. Any other inbound packet are dropped. I'm not sure what sort of access you want to allow the server, or what access you want to grant external systems. It sounds like a very, very specialized configuration to me. So I don't know if you're open to the following changes or not, but maybe this will still help?

    The other thing that seems is is that there's no rule telling the system it's OK to accept packets on the loopback interface. So I think that "DROP" rule will kill loopback traffic as well?

    Having noted that I really don't understand your system, I would suggest making the following changes. Only you can tell if they make sense in the context of what you're trying to do with the system in question.

    1. disable forwarding with the default Fedora rule my system came with, meaning
    Code:
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    2. change the "DROP" rule in the INPUT chain to also "REJECT" as per the same default behavior
    Code:
    iptables -R INPUT 2 -j REJECT --reject-with icmp-host-prohibited
    3. add a rule letting the system accept packet associated with existing connections and connections related to existing connections (again, this is default on my FC17 box). If you drop the "RELATED," but most things will probably still work, just not protocols like FTP that create secondary connections.
    Code:
    iptables -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
    Then I'd recommend checking the setup with the following commands to make sure the config is sane. THe "-n" just shows the rules numbers and "-v" shows extra info, like what interface is associated with the rule.

    Code:
    iptables -n -v --list
    iptables --list-rules
    Thanks, I had a similar problem and it was solved.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by THpubs View Post
    With the following iptable rules, I was unable to do an apt update and ping a website. Whats wrong with the rules? How to fix it? What is the exact rule to fix it?

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:325 
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    You just need to change your firewall rukes as follows;

    Code:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    This allows everything out and only connection you started back in.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •