IPTABLES! help!

[halonothing]

wtf is wrong with this picture? i thought :OUTPUT ACCEPT [0:0] means accept all outgoing traffic. Yet i cannot ping out, cannot ssh out, cannot telnet out etc..

p.s. can anyone tell me what the [0:0] means in those chains?

Code:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# -A INPUT -i eth0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3784 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 3784 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT


COMMIT

(side note, for some reason when i run

Code:

root@klezmer:# iptables -P INPUT ACCEPT

it opens outgoing traffic. I'm stumped.

[Lazydog]

Ping uses ICMP. You need to read up on ICMP to see why it is not working.
While the outgoing ping is on one port the return is on another. Your rule

Code:

-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

Will not match thus the packet will move down the INPUT rule chain until a rule is matched or it is dropped.

Google on 'ICMP and IPTABLES' should get you a lot of web sites on the subject.

[halonothing]

Will do, however i guess i'm confused the difference between "OUTPUT" and "INPUT". I was under the impression the INPUT referred to packets that are being recieved by the kernel from an external source, whereas OUTPUT would be a packet sent from an internal device (term, tty...) on the server to the kernel, then out to the world.

Doesn't that first Chain rule :

OUTPUT ACCEPT [0:0] say, "ACCEPT all traffic being sent from this machine"? whereas INPUT DROP [0:0] says, "DROP all packets from incoming connections unless they meet the following rules" (then to my INPUT rules)?

[Lazydog]

Will do, however i guess i'm confused the difference between "OUTPUT" and "INPUT". I was under the impression the INPUT referred to packets that are being recieved by the kernel from an external source, whereas OUTPUT would be a packet sent from an internal device (term, tty...) on the server to the kernel, then out to the world.

Use the KISS (Keep It Super Simple)
INPUT = packet coming to the machine that are destine for that machine.
OUTPUT = packet leaving the machine that started on the machine
FORWARD = Packets that are passing through the machine destine for another.
Everything passes through the kernel.

Doesn't that first Chain rule :

OUTPUT ACCEPT [0:0] say, "ACCEPT all traffic being sent from this machine"? whereas INPUT DROP [0:0] says, "DROP all packets from incoming connections unless they meet the following rules" (then to my INPUT rules)?

Yes the OUTPUT ACCEPT allows all packets to leave the machine, but in your case the ICMP replies are not returned on the same TYPE. ICMP has many different types with different meaning for each.

A ping leave your device as an 'echo-request' but the return traffic is an 'echo-reply'

Here is an example:

Code:

# allow certain inbound ICMP types (ping, traceroute..)
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

I am not saying that this is what you need just something to look at when you are determining what you what to do.
A reference if you will.