Hi guys, I'm trying to configure iptables to only allow certain ports access.
I set the first set of rules to block everything and then subsequently open ports as needed, but everything still seems to be blocked.
I have read that the order matters (new to iptables), perhaps this is an issue. Google has not been very helpful.
What am I doing wrong here?
EDIT: OS is Debian and Iceweasel browser. If that's relevant.
Code:
#!/bin/bash
#Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Outbound
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 7465 -j ACCEPT
#Inbound
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7465 -j ACCEPT
#Forwarded
iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 7465 -j ACCEPT
Last edited by 3therk1ll; 12-08-2013 at 12:55 AM..
Think of the direction of the packet in the INPUT section. dport describes what?
Say your client software grabs a random local port, 68123, and starts the TCP handshake with an SSH service on 22 elsewhere. The reply comes back to you on 68123 and is ... DROP.
Generally the first rule looks like this:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Are you running services you want to allow access to, or are all these ports for outgoing traffic? Is this a server or desktop or router?
This would allow OUTGOING web traffic:
Code:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
ah i see you edited it. I'm guessing your individual INPUT rules are mostly useless, and you'd see 0 under them in iptables -L -v -n since your OUTPUT allows the connection request, and the "-m state" rule does the rest.
Last edited by neutronscott; 12-09-2013 at 12:17 AM..
This is just for my laptop but it is something I'd like to implement on my desktop too at some point, just testing it here..
Is the 'FORWARDED' flag more for use with routers?
What I'm looking to do is drop all traffic and then only allow IN/OUT certain ports and services as I need them.
The problem I had before was websites I was connecting to had the default ports changed, ie 587 for example rather than 80.
I want the rules to block anything coming in that hasn't already been established by me initiating a connection.
Example:
I initiate to connect to a webserver on local 80
Webserver responds on 587 and the connection is allowed because I initiated it in the first place.
Ideally to happen without explicitly specifying each and every port/service individually.
If being explicit is the best or safest way, so be it, just want to get it done effectively.
Would it be best to only have
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Rather than the same for
Code:
INPUT,OUTPUT,FORWARD
?
If that is the case, what should it look like based on my previous posts.
Much appreciate your help by the way buddy, sorry if I'm a little slow on the uptake!
Hello Gurus,
I want One user to su to another without allowing root access and password.
I want to run a specific command as below from user am663:
---------------------------------------------------------
sudo -u appsprj4 /home/appsrj4/scripts/start_apache.sh
-------------------
But... (6 Replies)
As I do a ssh <nis_user>@server1 from server2, ssh prompts for certificates (as expected the first time), then it prompts for the users password, as soon as I enter the password, I get a Connection to server1 closed by remote host, and connection to server1 closed. and I disconnect back to the... (3 Replies)
Hello!
I run an HP Unix system which I host oracle databases on, as well as oracle based apps used by my company. My IA department needs to scan my files to ensure I am following IA procedures and check for vulnerabilities in scripts etc. The scan is coming from corporate, and they asked for... (2 Replies)
Hi Friends,
samba for annonymouse setup but not allowing me to write when i tried to browse from windows 7 box
conf as below
#testparm
Load smb config files from /etc/samba/smb.conf
Processing section ""
Processing section ""
Processing section ""
Loaded services file OK.
Server... (0 Replies)
The server that provides the time synchronization must be configured to allow its clients to verify its authenticity using symmetric cryptography.
4. Singapore Polytechnic, Dover, Singapore,Mr Kam, and Computer Engineering
I don't think there is any coding since it is just configuring... (3 Replies)
I have encountered some problems in my school work.
Here is the question:
The server that provides the time synchronization must be configured to allow its clients to verify its authenticity using symmetric cryptography.
Much Appreciated!:) (1 Reply)
I've written a python program where I want to allow members of a specific group the ability to kill it, and I'm not sure how to do it. I've been looking at the setuid() and setgid() and similar functions in the os module, but haven't been able to get them to work. I can't seem to change the uid or... (1 Reply)
I am trying to transpose tables listed in the format into format. Any help would be greatly appreciated.
Input:
test_data_1
1 2 90%
4 3 91%
5 4 90%
6 5 90%
9 6 90%
test_data_2
3 5 92%
5 4 92%
7 3 93%
9 2 92%
1 1 92%
...
Output:... (7 Replies)
I need to set up an application to run in a script which will be running as a web server but is a database. I need to allow users to use the web server but the app must be run as root in order for the ports to be accessible. This is not a very secure environment would like to know how this could... (2 Replies)
