Find the answer to your Linux question:
Results 1 to 7 of 7
My IPTables rules are blocking my servers connect to external http server and mysql. I want to block all input connections, just let SSH, and allow only some output ports, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2013
    Posts
    4

    IPtables settings


    My IPTables rules are blocking my servers connect to external http server and mysql. I want to block all input connections, just let SSH, and allow only some output ports, since its a proxy server.

    Code:
    [
    "iptables --flush",
    "iptables -P INPUT DROP",
    "iptables -P FORWARD DROP",
    "iptables -P OUTPUT DROP",
    "iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A INPUT -o eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 7171 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 7175 -m state --state NEW,ESTABLISHED -j ACCEPT"
    ]
    Thanks in advance

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by pedrommone View Post
    My IPTables rules are blocking my servers connect to external http server and mysql. I want to block all input connections, just let SSH, and allow only some output ports, since its a proxy server.

    Code:
    [
    "iptables --flush",
    "iptables -P INPUT DROP",
    "iptables -P FORWARD DROP",
    "iptables -P OUTPUT DROP",
    "iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A INPUT -o eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 7171 -m state --state NEW,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 7175 -m state --state NEW,ESTABLISHED -j ACCEPT"
    ]
    Thanks in advance
    That rule above is wrong. INPUT should always have -i not -o. IPTABLES should have complained about this.

    That aside what are you looking to allow in and what are you looking to allow out?
    This would make helping you easier then guessing.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    May 2013
    Posts
    4
    Quote Originally Posted by Lazydog View Post
    That rule above is wrong. INPUT should always have -i not -o. IPTABLES should have complained about this.

    That aside what are you looking to allow in and what are you looking to allow out?
    This would make helping you easier then guessing.
    Well, I'm running a proxy server, so the 'entrance' port is 22 and the output port is 7171 and 7175, my rules now are:

    Code:
    [
    "iptables --flush",
    "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT",
    "iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT",
    "iptables -A INPUT -i lo -j ACCEPT",Q
    "iptables -A OUTPUT -o lo -j ACCEPT",
    "iptables -A INPUT -p tcp --dport 22 -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 3306 -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 7171 -j ACCEPT",
    "iptables -A OUTPUT -o eth0 -p tcp --dport 7175 -j ACCEPT",
    "iptables -P INPUT DROP",
    "iptables -P OUTPUT DROP",
    "iptables -P FORWARD DROP"
    ]
    They are okay now?

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    They should work. Question, how many interfaces (network connections) does this box have? Also why have you chosen port 22 (ssh) for this?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    May 2013
    Posts
    4
    One network interface, 22 is the ssh port, so...

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You are aware that port 22 is the top port that hackers attack. Are you running a proxy for just ssh connections or are you doing more?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    May 2013
    Posts
    4
    I mean, is for games, so the I've many output ports, but the input is 22...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •