iptables ???? at a total loss

Hi,

Can anyone let me know when I use the following config for IP tables I get totally shut out of the machine, my existing ssh sessions are dropped the server fails to login as it can't access nfs, im using the following config for iptables:

Code:

---

#default lines created by iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Accept all traffic on loopback interfaces

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Accept legitimate responses to traffic we generate.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept portmap inbound
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT

# Accept nfs inbound
-A INPUT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4000:4004 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 4000:4004 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept ssh inbound
-A INPUT -p tcp -m tcp --sport ssh --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept smtp outbound
-A INPUT -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept ntp client inbound
-A INPUT -p udp -m udp --sport 123 -j ACCEPT

# Accept dns inbound/outbound
-A INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

# Accept DHCP inbound
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# Accept gmond for ganglia outbound
-A INPUT -p tcp --dport 8649 -m state --state NEW -j ACCEPT

# Accept cups outbound
-A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 515 -m state --state NEW -j ACCEPT

# Accept ICMP pings inbound and outbound
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -p icmp -j ACCEPT


# finally block all other incomming and all outgoing connections

#iptables -A INPUT -j DROP
#output -A INPUT -j DROP

# always necessary for iptables-restore

COMMIT

---

Any help much appreciated.

Chris

While you are allowing traffic in your are blocking all the return traffic..
You need a OUTPUT rule something like;

Code:

---

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

---

Sorry to say, but your config looks terrible :) No idea who did it.

to fix ssh issue change this:

-A INPUT -p tcp -m tcp --sport ssh --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

to:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

as sport will never be equal to dport.

Rest of the rules have mostly same problems.

BTW, its better to hide ssh on say 2200 port.