-   Linux - Networking (
-   -   IPtables quick question (

gr0undzer0 05-09-2012 11:13 PM

IPtables quick question
I wrote the following script for my webserver. When I run it however I loose the ability to access any ports or even ping from the local host. I thought that the line i worte with would take care of that. I also though the last two lines would basically force the server to close all OTHER ports. Not the ones listed here. Do I have some syntax wrong here I'm missing?

#Script for configuring 'Firewall' Rules
#Written by Chris Jones <>

#Basic Rules?

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT

#HTLM Own Cloud
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
#Probably a Good idea to take requests from my self
iptables -A INPUT -d 10.0.0.xx -s -j ACCEPT

#Lock It down
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

Slackyman 05-10-2012 03:23 AM


iptables -P INPUT DROP
iptables -P FORWARD DROP

at the beginning and remove the last two lines.
There are, anyway, different conceptual errors, but, sorry, now I've few time. :)

fukawi1 05-10-2012 04:47 AM

Firstly may I ask, what is the point/purpose of redacting your local IP addresses and ports? It does nothing to help you in the "security by obscurity" school of thought, and really makes helping you a crystal ball job.


When I run it however I loose the ability to access any ports or even ping from the local host.

iptables -A INPUT -d 10.0.0.xx -s -j ACCEPT

To enable traffic on the loopback interface, you would need to use a rule such as

iptables -A INPUT -i lo -j ACCEPT
Which will accept anything and everything on the loopback interface. This is usually standard practice.

Since you are running a webserver you are most likely going to want to allow access to either the entire internet, or an entire lan. Matching by destination IP is a bit pointless, since the packets have got to the host, chances are they have the hosts IP as the packets destination IP. Normally one would use a rule such as

iptables -A INPUT -p tcp --dport 80 -s -j ACCEPT
This would allow anything coming from the subnet, and drop everything else. In the case of a public webserver, you would omit the -s match.

I try to think of iptables rules by breaking them down. Looking at the specific characteristics of the connections I want to allow
Lets take your ssh rule as an example.

iptables -A INPUT -d 10.0.0.xx -p tcp --dport xxx -j ACCEPT
iptables -A INPUT (append a rule to the end of the filter table, INPUT chain)
-d 10.0.0.xx (match packets with a destination IP 10.0.0.xx AND)
-p tcp --dport xxx (protocol: tcp, destination port xxx)
-j ACCEPT (this ones pretty obvious)

It is also worthwhile to enable logging, this is helpful for diagnosing problems.
Also using "watch" in conjunction with "iptables -nvL $chain" while generating a bunch of traffic using hping or nc and watching the byte/packet counters.

I really do recommend this link for a good description of how iptables works, with flowcharts and tables explaining the tables, and chains etc..

gr0undzer0 05-10-2012 06:16 AM

I appreciate your time gentlemen. I'm headed to that site as soon as I hit my lunch break today fukawi. I'll try that code out later today Slackyman.

gr0undzer0 05-10-2012 12:12 PM

In particular which part of this script is causing all traffic to be blocked? From your response and the site you posted I gather that although its not necessary

iptables -A INPUT -d -p tcp --dport80 -j ACCEPT

should let any traffic from any ip using port 80 go right on through to the host. Are you saying that if I put in the IP on a machine the packet has already arrived at it wont work? If it will work I am still having issues with not being able to reach this server from within the network.

Slackyman 05-10-2012 01:15 PM

To allow web traffic:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

To let the machine give response to the ping:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

A request can be accepted in input but you have even to accept a response in output.

gr0undzer0 05-10-2012 01:27 PM


Will test at home. I did play around with the iptables on a test machine here at work and was successful in allowing / blocking ssh with no issue with the code i started with. I found the issues.

1. The ip address on the individual filters was wrong
2. The i needed a space between dport and the port.

All times are GMT -5. The time now is 11:55 PM.