weird iptables issues

[Red Squirrel]

I have a simple script that applies firewall rules but for some reason ougoing traffic is blocked. This is the script:


iptables --flish
iptables -v -A INPUT -p tcp --deport 22 -j ACCEPT
iptables -v -A INPUT -j DROP


The last line seems to also block outgoing traffic. Why is this? That should only block incomming, no? Should't -OUTPUT control outgoing?

 

[Crusty]

That means nothing, you need to show us the output of iptables --list after you run your script.

 

[Red Squirrel]

This is what the output is:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- 127.0.0.0/8 anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Not sure what is causing this:
DROP all -- anywhere anywhere

That's probably where my problem is.

 

[Crusty]

IMHO it's better to change your policy to DROP instead of ACCEPT and then explicitly accept outgoing connections. On all my servers INPUT/OUTPUT/FORWARD all get set to DROP and then explicit rules for accepting certain kinds of traffic.

For example, my OUTPUT chain looks like this:

http://pastebin.com/m46c96ff9

 

[Red Squirrel]

Originally posted by: Crusty
IMHO it's better to change your policy to DROP instead of ACCEPT and then explicitly accept outgoing connections. On all my servers INPUT/OUTPUT/FORWARD all get set to DROP and then explicit rules for accepting certain kinds of traffic.

For example, my OUTPUT chain looks like this:

http://pastebin.com/m46c96ff9

That's actually what I had but then took it off for troubleshooting.

I actually WANT to block outgoing traffic, but I just don't get why it's being blocked without me telling it to. I just don't want to end up with something that's not done properly and just happens to work how I want.

From my understanding Ip tables works the same way as ACLs in cisco right? So as soon as a drop rule that matches is meant, the packet is dropped, if an accept is matched it keeps going down the line. Is this in fact how it works? I have not been able to find any kind of tutorial confirming this.

 

[Crusty]

You're trying to block all outgoing traffic? Your rules won't do that at all because your POLICY is set to ACCEPT and you don't have a DROP statement in your OUTPUT chain.

The reason you can not establish any outgoing connections is because your INPUT chain is dropping ALL incoming packets that are not destined for port 22 so you'll never recieve any responses from the outside. I posted a link to an iptables script that works very well in one of your recent threads on iptables, I would highly recommend you dig through it and learn what it's doing and why.

 

[Red Squirrel]

I'm guessing this has to do with the RELATED, ESTABLISHED rule? What is the exact syntax to that rule, if it's the case? I've found various stuff online but no formatting of how to do the rule itself.

 

[Crusty]

It's all in that script I linked you in your other thread. It has everything you need to block outgoing traffic while keeping lo open, it even has comments explaining what each rule is trying to do.