Okay, im at a bit of a loss with this one. The only way i can see to get iptables to work properly with my servers that im running on my Debian box is to start it up after all the servers have loaded. But then when i restart (which does happen occasionally) it blocks everything up again!

Ive got Apache, SSH, vsftp, and a pop3 server running on this box, and i want all of the servers to be able to access the net from bootup.

I also need to find some info concerning mysql-server, and how to make sure that only localhost can access it.

If your iptables rules are blocking your servers, it just means your rules aren't set up properly. On my box, the iptables rules are loaded before the ethernet card is brought up, which is definitely before any servers are started and none of my servers (httpd, sshd, mysqld) have any problem with access.

If you want to block external access to mysql, you can do it with a rule like this:

iptables -A INPUT -i eth0 -p TCP --dport 3306 -j DROP


This would drop anything heading for port 3306 (assuming that is what you are running mysql on) that is coming from your ethernet card (again assuming your external connection is on eth0). Unless I'm completely mistaken, this should still allow localhost to access mysql.

Thanks.

Is there any sort of newbies guide to iptables anywhere? All i need to do really is know how to allow access to certain ports (TCP) on my ethernet card. i.e. to allow requests on port 80, 23, 21, etc etc.

Take a look at the documents and tutorials on netfilter / iptables.
Look for the Packet Filtering HowTOs.
http://www.netfilter.org/documentation/

There is also the iptables tutorial at FrozenTux. It is kind of heavy going, but pretty much everything you need to know is in there somewhere.

However, opening up specific ports is pretty easy. Personally, I think it is best to lock everything down by having the table defaults set to DROP like this:

iptables -P INPUT DROP

Then I open just the ports I want, like ssh:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

That way everything gets dumped except the traffic that you specifically allow. To my way of thinking that is much better than allowing everything and only denying the things you think of.

Thanks

Umm, there is one problem with the above tip. It seems i cant access anything from the box any more. I.e. mozilla wont work, apt-get wont work, they dont resolve host names. What should i make unblocked to allow me to use www browsers and apt-get?

You need to allow NEW, ESTABLISHED and RELATED packets through the firewall. So on my input chain, I've got these two rules:

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED, RELATED -j ACCEPT

You also might need:
iptables -A INPUT -p tcp --syn -j ACCEPT

And on the OUTPUT chain I do the same thing only the --state is NEW,ESTABLISHED,RELATED for both tcp and udp:

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Rather than looking at specific ports, these rules look at the state of the packet and NEW,ESTABLISHED and RELATED states are all states from connections originating within your computer so someone from the outside can't use them to get in. See the FrozenTux tutorial for the fine details.