Find the answer to your Linux question:
Results 1 to 4 of 4
wtf is wrong with this picture? i thought :OUTPUT ACCEPT [0:0] means accept all outgoing traffic. Yet i cannot ping out, cannot ssh out, cannot telnet out etc.. p.s. can ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    5

    IPTABLES! help!


    wtf is wrong with this picture? i thought :OUTPUT ACCEPT [0:0] means accept all outgoing traffic. Yet i cannot ping out, cannot ssh out, cannot telnet out etc..

    p.s. can anyone tell me what the [0:0] means in those chains?


    Code:
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    # -A INPUT -i eth0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 3784 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 3784 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
    
    
    COMMIT
    (side note, for some reason when i run
    Code:
    root@klezmer:# iptables -P INPUT ACCEPT
    it opens outgoing traffic. I'm stumped.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Ping uses ICMP. You need to read up on ICMP to see why it is not working.
    While the outgoing ping is on one port the return is on another. Your rule
    Code:
    -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    Will not match thus the packet will move down the INPUT rule chain until a rule is matched or it is dropped.

    Google on 'ICMP and IPTABLES' should get you a lot of web sites on the subject.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    5
    Will do, however i guess i'm confused the difference between "OUTPUT" and "INPUT". I was under the impression the INPUT referred to packets that are being recieved by the kernel from an external source, whereas OUTPUT would be a packet sent from an internal device (term, tty...) on the server to the kernel, then out to the world.

    Doesn't that first Chain rule :

    OUTPUT ACCEPT [0:0] say, "ACCEPT all traffic being sent from this machine"? whereas INPUT DROP [0:0] says, "DROP all packets from incoming connections unless they meet the following rules" (then to my INPUT rules)?

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by halonothing View Post
    Will do, however i guess i'm confused the difference between "OUTPUT" and "INPUT". I was under the impression the INPUT referred to packets that are being recieved by the kernel from an external source, whereas OUTPUT would be a packet sent from an internal device (term, tty...) on the server to the kernel, then out to the world.
    Use the KISS (Keep It Super Simple)
    INPUT = packet coming to the machine that are destine for that machine.
    OUTPUT = packet leaving the machine that started on the machine
    FORWARD = Packets that are passing through the machine destine for another.
    Everything passes through the kernel.

    Doesn't that first Chain rule :

    OUTPUT ACCEPT [0:0] say, "ACCEPT all traffic being sent from this machine"? whereas INPUT DROP [0:0] says, "DROP all packets from incoming connections unless they meet the following rules" (then to my INPUT rules)?
    Yes the OUTPUT ACCEPT allows all packets to leave the machine, but in your case the ICMP replies are not returned on the same TYPE. ICMP has many different types with different meaning for each.

    A ping leave your device as an 'echo-request' but the return traffic is an 'echo-reply'

    Here is an example:

    Code:
    # allow certain inbound ICMP types (ping, traceroute..)
    /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
    I am not saying that this is what you need just something to look at when you are determining what you what to do.
    A reference if you will.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •