• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

weird iptables issues

Red Squirrel

Red Squirrel

No Lifer
I have a simple script that applies firewall rules but for some reason ougoing traffic is blocked. This is the script:


iptables --flish
iptables -v -A INPUT -p tcp --deport 22 -j ACCEPT
iptables -v -A INPUT -j DROP


The last line seems to also block outgoing traffic. Why is this? That should only block incomming, no? Should't -OUTPUT control outgoing?
 
This is what the output is:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- 127.0.0.0/8 anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Not sure what is causing this:
DROP all -- anywhere anywhere

That's probably where my problem is.
 
IMHO it's better to change your policy to DROP instead of ACCEPT and then explicitly accept outgoing connections. On all my servers INPUT/OUTPUT/FORWARD all get set to DROP and then explicit rules for accepting certain kinds of traffic.

For example, my OUTPUT chain looks like this:

http://pastebin.com/m46c96ff9

 
Originally posted by: Crusty
IMHO it's better to change your policy to DROP instead of ACCEPT and then explicitly accept outgoing connections. On all my servers INPUT/OUTPUT/FORWARD all get set to DROP and then explicit rules for accepting certain kinds of traffic.

For example, my OUTPUT chain looks like this:

http://pastebin.com/m46c96ff9
Click to expand...

That's actually what I had but then took it off for troubleshooting.

I actually WANT to block outgoing traffic, but I just don't get why it's being blocked without me telling it to. I just don't want to end up with something that's not done properly and just happens to work how I want.

From my understanding Ip tables works the same way as ACLs in cisco right? So as soon as a drop rule that matches is meant, the packet is dropped, if an accept is matched it keeps going down the line. Is this in fact how it works? I have not been able to find any kind of tutorial confirming this.
 
You're trying to block all outgoing traffic? Your rules won't do that at all because your POLICY is set to ACCEPT and you don't have a DROP statement in your OUTPUT chain.

The reason you can not establish any outgoing connections is because your INPUT chain is dropping ALL incoming packets that are not destined for port 22 so you'll never recieve any responses from the outside. I posted a link to an iptables script that works very well in one of your recent threads on iptables, I would highly recommend you dig through it and learn what it's doing and why.
 
I'm guessing this has to do with the RELATED, ESTABLISHED rule? What is the exact syntax to that rule, if it's the case? I've found various stuff online but no formatting of how to do the rule itself.
 
It's all in that script I linked you in your other thread. It has everything you need to block outgoing traffic while keeping lo open, it even has comments explaining what each rule is trying to do.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top