Iptables rules For PING, Whois, DNS, NTP, SSH, HTTP(S), FTP

Here is the file I load with iptables-restore on a Debian 8 freshly installed: The only thing I've changed is using the port 22022 for SSH in the /etc/ssh/sshd_config file.

----- SEE UPDATE BELOW-----

As soon as I load this file, I can't access to this debian in any way; even ping is not working. There is nothing in the /var/log/messages file about any error. This is my first try to configure iptables. I've read many docs about it, but there is something I'm doing wrong somewhere. Could you point out what happened here?

    *filter      #----------     # Local loop     #----------     -A INPUT -i lo -j ACCEPT     -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT      #----------     # Connexions already established     #----------     -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT      #----------     # PING     #----------     -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT      #----------     # SSH     #----------      -A INPUT -p tcp --dport 22022 -m state --state NEW,ESTABLISHED -j ACCEPT     -A OUTPUT -p tcp --dport 22022 -m state --state NEW,ESTABLISHED -j ACCEPT      #----------     # HTTP     #----------      -A INPUT -p tcp --dport 80 -j ACCEPT     -A OUTPUT -p tcp --dport 80 -j ACCEPT      #----------     # HTTPS     #----------      -A INPUT -p tcp --dport 443 -j ACCEPT     -A OUTPUT -p tcp --dport 443 -j ACCEPT      #----------     # FTP     #----------      -A INPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT     -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT      -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT     -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT      #----------     # Logs     #----------     -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 4      #----------     # DROP everything else     #----------     -A INPUT -j DROP     -A OUTPUT -j DROP     -A FORWARD -j DROP      COMMIT 

----- UPDATE -----

Now I've NTP, Ping, DNS, Whois, SSH, HTTP(S) and FTP working. Hourra. Here is the new file, if you see something weird, tell me. I've also learned that using FTP(TLS/SSL) with vsftp (that I use) need some good skills to configure, and I've not found any good solution for now. I really hope that I'll figure this out, because I won't keep 'clear' FTP like this. If you have any idea. Thx again for your help, both answer were good, I can't choose one ;)

(by the way, I use a sh script now for loading modules)

    #!/bin/sh      #----------     # Load needed modules     #----------     modprobe ip_conntrack_ftp     modprobe ip_nat_ftp      #----------     # Local loop     #----------     iptables -A INPUT -i lo -j ACCEPT     iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT      #----------     # Connexions already established     #----------     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT     iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT      #----------     # NTP     #----------     iptables -A INPUT -p udp --sport 123 -j ACCEPT     iptables -A OUTPUT -p udp --dport 123 -j ACCEPT      #----------     # PING     #----------     iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT     iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT      #----------     # DNS     #----------     # UDP     iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT     # TCP     iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT      #----------     # WHOIS     #----------     iptables -A INPUT -p tcp --sport 43 -j ACCEPT     iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT      #----------     # SSH     #----------     # Incoming     iptables -A INPUT -i eth0 -p tcp --dport 22022 -m state --state NEW,ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --sport 22022 -m state --state ESTABLISHED -j ACCEPT     # Outgoing     iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT      #----------     # HTTP     #----------     # Incoming     iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT     # Outgoing     iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT      #----------     # HTTPS     #----------     # Incoming     iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT     # Outgoing     iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT      #----------     # FTP     #----------     #incoming     iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT     iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT      #----------     # Logs     #----------     #-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 4      #----------     # DROP everything else     #----------     iptables -A INPUT -j DROP     iptables -A OUTPUT -j DROP     iptables -A FORWARD -j DROP      exit 0 

Replay

After these rules:

-A OUTPUT -p tcp --dport 22022 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

all you can send out of the machine, are HTTP(S) requests, some FTP connections and SSH connections destined to port 22022. But not for example responses originating from your SSH server, since their destination would be some random port chosen by the client (likely not 22022, except by chance). In the same way, responses from your HTTP server won't go out either, and neither are ICMP echo-replies allowed.

If you want to only allow packets sent by, say, your SSH server, you'll need to allow packets sent from port 22022, so --sport 22022.

Though even if you allow the SSH server to respond, you'll soon notice that you can't make many outgoing requests. You did allow HTTP requests, but for example outgoing DNS queries will not go out. Consider how tight you are willing to make the output rules. I'd suggest at least adding -m state --state ESTABLISHED -j ACCEPT and a -j LOG rule to the OUTPUT chain to start with.

As ilkkachu said in his answer, your output rules doesn't do want (I guess) you want them to.

Some advice:

  • Instead of explicitly ending your chains with a DROP rule, set a DROP policy for them instead with iptables -P INPUT DROP (and similar for OUTPUT and FORWARD, then you can add rules to the chains with iptables -A <chain>, the policy is automatically applies to any packet that reaches the end of the chain.
  • Add a rule to the OUTPUT chain allowing traffic on established and related connections, with iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT. Totally similar to the one you have in the INPUT chain. Then responses to anything you've allowed incoming will be allowed, no need to think about how that particular protocol works.
  • Consider adding rules allowing your server to make outgoing DNS requests (remember both UDP and TCP).
Category: iptables Time: 2016-07-28 Views: 0
Tags: iptables

Related post

  • Iptables rules For PING, DNS, SSH, HTTP(S), FTP not working 2016-07-28

    Here is the file I load with iptables-restore on a Debian 8 freshly installed: The only thing I've changed is using the port 22022 for SSH in the /etc/ssh/sshd_config file. ----- SEE UPDATE BELOW----- As soon as I load this file, I can't access to th

  • Iptables rules for transparent proxy, and no proxy 2015-11-23

    Hi I'm using redsocks and iptables port redirection rules to set a transparent proxy, and works fine, but I need to establish iptables rules for non proxy access, to domains, domain1.com and domain2.com, and 10.0.0.0/8 Here is my actual redirection r

  • Do I need seperate iptables rule for ipv6 address? 2009-12-25

    On my debian 5.0 server, I setup some iptables rules like below: ACCEPT tcp -- eee.fff.ggg.hhh aaa.bbb.ccc.ddd tcp dpt:80 DROP tcp -- 0.0.0.0/0 aaa.bbb.ccc.ddd tcp dpt:80 aaa.bbb.ccc.ddd is my server's ip address, and eee.fff.ggg.hhh is the other ser

  • How to configure iptables rules for connecting 2 eth to the net (forwarding & masquerading) 2013-04-15

    need some help on configuring iptables rule for forwarding and masquerading Given I have these configuration: switch1 ---- (eth1) ----- router ---- (eth2) ----- switch2 | | (eth0) | | internet where multiple PCs are connected though switch1 and switc

  • iptables rules for nfs 2013-10-31

    I was getting below error while typing showmount -e 192.168.56.2 in client machine [[email protected] ~]# showmount -e 192.168.56.2 clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host) This is my nfs server configuration

  • iptables rules for DNS/Transparent proxy with ip exceptions 2011-09-01

    I am running a router (A Netgear WNDR3700 if that matters) with dd-wrt. For content filtering I am using OpenDNS. I wanted to make sure a user could not bypass OpenDNS by putting in their own name servers, so I have a rule to catch all DNS traffic. i

  • iptables is blocking ping and dns 2011-03-12

    Im a noob at iptables, and have recently setup a new server ans used webmin to tell iptables to allow incomming port 80, 443, and 22. However with iptables enabled the server can no longer ping external servers or do dns lookups. What do I need to ch

  • Missing iptables rules for Strongswan routing for VPN for phone 2014-11-12

    I have a Centos 6.6 VPS out on the Internet that has a public IP. I have installed StrongSwan 5.1.3 to allow my BlackBerry10 phone to connect from hotspots and use the VPS' connection. The VPS' IP shows when I go to www.whatismyip.com, and so I think

  • Iptables rules for Caching Nameserver 2010-02-08

    We're running Bind as a Caching-Nameserver and these are the 3 rules on our setup to handle the DNS functionality: iptables -A INPUT -s $OUR_NETWORK -p udp --destination-port 53 -j ACCEPT iptables -A INPUT -s $OUR_NETWORK -p tcp --destination-port 53

  • IPTABLES rule for separating users 2011-03-05

    I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP server pool: 192.168.1.0/24 - clients are using it through wireless/wired connection. Ok! Here's the catch: I need to separate the users from each other. How i need to do it: by IP

  • adding iptables rules for a user after authenticating himself 2011-05-16

    I need bsd authpf like tool for Linux. The user should authenticate himself through ssh or some web application and iptables rules specified for the user will be executed after authentication in my plan. Can you suggest me some pointers to start. Reg

  • how to add iptables rules for two NICs on CentOS(act as a gateway) 2011-08-03

    I have a machine C with two NICs, namely eth0 and eth1, with CentOS 4.9 installed on it. Also I have a machine A connecting to C through eth0 and a machine B connecting to C through eth1. Now I want machine A to be in a subnet (e.g. 192.168.3.0/24) a

  • How to use NAT iptables rules for hostapd 2013-07-07

    My PC is equipped with two net interfaces - wlan0 and eth0. I want to use WiFi port as access point on wlan0. So i use hostapd facility and it works properly in routing mode in local network. Users can connect to such created access point and DHCP wo

  • iptables rules for machine running as openvpn server 2014-12-29

    I set up an older laptop as an OpenVPN server for my home network (and a dwarffortress server, but that's beside the point). This is the first time I've set something like this up - I wanted a secure way of being able to ssh into my home network from

  • iptables rules for StrongVPN-like VPN endpoint 2015-04-06

    Goal: To replicate the functionality I have with StrongVPN on my own Debian VPS. With StrongVPN, seemingly, all ports on the public IP provided are forwarded to the client, meaning, e.g, ssh :22 from 'outside' connects to my router. Also upnp / NATPM

  • IpTables rules for captive portal 2015-09-16

    I am trying to make a captive portal and I use the following iptables rules. IPTABLES="/sbin/iptables" EBTABLES="/sbin/ebtables" DHCP="67:68" SSH="22" WWW="80" $IPTABLES -t mangle -F $IPTABLES -F $IPTABLES

  • iptables rules for bridge networking cent OS 7 2016-07-02

    I currently trying to secure my server with iptables. But i am struggling to get te correct firewall rules for allowing traffic to the vm's and host it self. i want to block traffic that is incoming for the host machine so that i only allow ssh acces

  • iptables rules for BBC IPlayer 2009-10-12

    GOAL: strict output rules to allow the use of iplayer but make it hard for other p2p programmes. I'm relatively new to server admin and iptables. Because I can't rely on my users to behave, I've set up the OUTPUT to default to drop rather than accept

  • iptables rule for local network with free internet blocking unrequested connection from internet to server? 2011-03-23

    I have a home server (with slackware 13) with a eth0 for the local network and a eth1 for the internet (cable modem with dynamic ip). While I do want to learn more about iptables I am still on the proccess and I need some rules done and can't until a

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 1.224 (s). 13 q(s)