Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I am trying to apply these firewall rules over SSH. When I run the script with ./script.sh, the terminal will hang and I am forced to quit using ~ . Enter. The rules are applied, but my SSH connection is dropped and my terminal hangs. However, when I do bash -x ./script.sh, it runs the script while outputting debug information and doesn't interrupt my session.
My firewall rules are simple. Allow incoming/outgoing SSH and allow outgoing DNS and HTTP/S for updates.
This behavior was witnessed on Red Hat, Debian, and Ubuntu machines.
I consider you are running the scripts on a ssh session established on default port 22
then please replace the ssh rules
iptables -A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/minute --limit-burst 15 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
for a less restrictive set i.e.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
once you get it working you can add to these now simpler rules the more restrictive parameters one at the time.
please consider if your input rule includes
--state NEW
only new ssh connections will be accepted; already established will not.
Move this rule to the top and test again:
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
Alright, this has not happened before in my past experience in coding and using Linux but right now, when I start up IPTables, I cannot access my website in every way possible. SSH still works.
My operating system:
CentOS Linux release 7.2.1511 (Core)
And the things inside my IPTables:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
If anyone could help me fix this problem, it'd be great.
iptables -I INPUT 3 -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j ACCEPT
If you could read the manual of iptables, it also would be great.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I need help to exclude a single Ip address from a prerouting rule on all ports.
Anybody who connects to my access point, gets redirected to my Captive Portal(Landing Page). Therefore I want to make a new rule, I don't want my existing prerouting rule to be modified/deleted.
The prerouting rule I already made, routs incoming ports, except port 22(SSH) to the captive portal. Therefore I use this rule:
sudo iptables -t nat -A PREROUTING -p tcp --match multiport ! --dport 22 ! -s 192.168.42.19 -j DNAT --to-destination 192.168.42.1:8080
What I want is to make an exclusion for specific users, therefore I want to stop certain ip addresses from being forwarded.
I tried different things, but I can't get anything to work.
I tried different INPUT and OUTPUT rules, but no luck. I think I should do something with PREROUTING, but how?
If you're just trying to prevent some traffic from hitting a specific rule, you could put a RETURN or ACCEPT rule for that traffic before the rule you're trying to avoid.
For example, you could change your current rule to three rules:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.42.19 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.42.1:8080
Note the difference between ACCEPT and RETURN (from iptables(8) man page):
ACCEPT means to let the packet through.
RETURN means stop traversing this chain and resume at
the next rule in the previous (calling) chain.
Using this approach, you could leave your current rule alone and preceded it with an arbitrary number of rules that describe the different types of traffic that you don't want to hit your NAT rule.
Looking at iptables counters is a good way to tell whether your traffic is hitting the rules that you expect (e.g. iptables -t nat -L PREROUTING -vn).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a problem with connecting through FTP when iptables is enabled. I've tried all suggestions from this topic and a few others, but I'm still getting:
Error: Connection timed out
Error: Could not connect to server
There's no problem with connection when I turn off iptables, so I'm sure this is what's causing the issue.
This is how my iptables file looks like:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2020 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Allow FTP connections # port 21
-A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
COMMIT
First of all, the order of the rules is important. Since you have specified the REJECT rule before the FTP ACCEPT rules, FTP packets are rejected by that rule before reaching the relevant rules and having any chance of getting accepted.
Secondly, the link you've mentioned in your question discusses the rules required by the server, and not by the client. The appropriate rules for the client are opposite.
Since the default policy of the OUTPUT chain is ACCEPT, and you have allowed packets of ESTABLISHED or RELATED connections into your machine, passive-mode FTP should already be supported by your rule set.
In order to support active-mode FTP as well, you need to allow incoming TCP connections originating from the server at port 20, as follows:
iptables -A INPUT -p tcp --sport 20 -j ACCEPT
This link supplies a concise summary of the rationale for the above rules.
Since in active-mode FTP the data connection's hosts and ports can be reliably and easily determined from the control connection's hosts and ports, I think that loading the nf_conntrack_ftp module would prove the ad-hoc rule for allowing incoming TCP connections originating from the server at port 20 redundant. I haven't checked this, but loading the module with modprobe nf_conntrack_ftp might suffice because incoming RELATED and ESTABLISHED traffic is allowed. This approach would be preferable since it's a bit more secure.
The rule should be as given below:
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
The INPUT chain should have destination port 21 opened for incoming connections. Let me know your feedback after trying this out.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I inherited a complex iptables script acting as our gateway/router. It handles everything well, including NAT and harpin nat. It also does port forwarding. However, the port forwarding can't be specified by source IP. So if the port 25 is forwarded, every IP can connect to that port.
The FORWARD chain policy is ACCEPT. I tried to change it to DROP and built some rules. It seems that there are too much on specifying rules for every allow scenario.
What I am looking for is to specify things like this:
iptables -A FORWARD -p tcp -i $WAN_IFACE --dport 25 -s (!(1.1.1.1 and
1.1.1.2)) -j DROP
But iptables does not support and and or.
Is there any way to implement this?
You can create a new chain for all packets going to Port 25 and then do more specific filtering there:
iptables -N port25
iptables -A FORWARD -p tcp -i $WAN_IFACE --dport 25 -j port25
iptables -A port25 -s 1.1.1.1 -j ACCEPT
iptables -A port25 -s 1.1.1.2 -j ACCEPT
iptables -A port25 -j DROP
The creation of user-defined chains is the way to implement and and or rules.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have a linux server that gets an time offset for some strange reason
I set up cron job to run and update the time using the following command
/usr/sbin/ntpdate pool.ntp.org
The problem is the command would not run because I have a firewall (iptables)
I have always use IP to allow traffic in my network:
iptables -A INPUT -p tcp -m tcp -i eth0 -s 11.11.11.11 --dport 5060 -j ACCEPT
I would like to know how to do it using a domain name in this case would be pool.ntp.org
Or maybe someone could tell me a better way to keep the clocks in sync
Please advice
Typically, iptables is setup to restrict incoming TCP and UDP connections initiated by remote hosts to the server except as needed. But, all outgoing TCP and UDP connections initiated by the server to remote hosts are allowed, and state is kept so that replies are allowed back in, like so:
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
If your iptables is setup like so, it will allow ntpdate to make an outgoing connection to pool.ntp.org, and it will allow the reply back in. And, you can still block down incoming connections to the server initiated by other hosts.