- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: IPTABLES
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 12:44 AM
тАО06-11-2007 12:44 AM
It's a web server
If I remove the rule nr 1 then the access to webpage is being blocked. And I dont know why, as the rule nr 4 says to allow tcp at port 80?
I just want to block any ssh trafic except my computers ip adress.
Can enyone help ?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.1 192.168.0.2 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8002 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 12:57 AM
тАО06-11-2007 12:57 AM
Re: IPTABLES
Rule 1 should apply to the loopback device (lo)
Without it you may have lots of problems with
network based services.
Rules 2 and 4 should apply to (eth0) and allow
the web server to run.
Rule 1 may break internal services used by the
web server.
I use the shoreline firewall (shorewall) to
configure my firewall. It also provides nice
status services to check the state of the
firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 01:27 AM
тАО06-11-2007 01:27 AM
Re: IPTABLES
Your results are expected.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Default policy is drop, which is overridden by the ACCEPT all policy.
So I'm kind of wondering what the point here is.
Anyway, lets take the current policy and make it work.
Lets say the local lan is 192.168.0.0 network. Lets aslo say its a Class C. netmask 255.255.255.0
Lets say your external IP address is 66.102.55.104, also class C.
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 66.102.55.104 -j DROP
The rest of your rules,as inconsistent as they are will work. iptables is read top down, once a rule match is found it stops checking.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 01:55 AM
тАО06-11-2007 01:55 AM
Re: IPTABLES
sudo /sbin/iptables -R INPUT 1 -i lo -j ACCEPT
then I'm loosing the connection with the server.
:(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 02:50 AM
тАО06-11-2007 02:50 AM
Re: IPTABLES
1.ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 - if I remove this rule the webpage gets bloked.
2. ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED - I want keep every established and related to it connection.
3.ACCEPT tcp -- 81.xxx.xxx.xxx 217.xxx.xxx.xxx tcp dpt:22 state NEW - Accept ssh connections from my office to the remote directory where the server is located.
4.ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW - to accept every connection from the internet to the web server using http.
5.ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW - Accept https connections to this server.
...
And so on with other protocols.
I've put this firs rule (to accept all) becase people couldn't open the webpage.
I want to drop all conections of all types EXCEPT those listed.
But as soon as I remove the Accept all rool at the firs possition - my webpage gets bloked.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 03:26 AM
тАО06-11-2007 03:26 AM
SolutionYou have to add rules for accept everything from localhost and its interfaces, or you will be blocking yourself and you will have a lot of problems with network services.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 03:29 AM
тАО06-11-2007 03:29 AM
Re: IPTABLES
http://easyfwgen.morizot.net/gen/index.php
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 05:34 AM
тАО06-11-2007 05:34 AM
Re: IPTABLES
I think your approach is wrong.
http://www.fs-security.com/
Site is down for me write now. Its available in many fedora yum repos.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 05:46 AM
тАО06-11-2007 05:46 AM
Re: IPTABLES
Personally, I prefer to go look at my iptables shell script or the output from iptables-save instead. I usually don't care about the counters and I find the original iptables commands just as easy to read, especially if they're in a file with comments.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2007 08:16 PM
тАО06-11-2007 08:16 PM
Re: IPTABLES
pkts bytes target prot opt in out source destination
3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
Ok
So My question is why ssh is rejected in this situation? SSHD is up and running as soon as I'll do:
iptables -I INPUT -j ACCEPT averythink works fine, but obviously id dont like this rule.
Cheers