Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Okay, im at a bit of a loss with this one. The only way i can see to get iptables to work properly with my servers that im running on my Debian box is to start it up after all the servers have loaded. But then when i restart (which does happen occasionally) it blocks everything up again!
Ive got Apache, SSH, vsftp, and a pop3 server running on this box, and i want all of the servers to be able to access the net from bootup.
I also need to find some info concerning mysql-server, and how to make sure that only localhost can access it.
If your iptables rules are blocking your servers, it just means your rules aren't set up properly. On my box, the iptables rules are loaded before the ethernet card is brought up, which is definitely before any servers are started and none of my servers (httpd, sshd, mysqld) have any problem with access.
If you want to block external access to mysql, you can do it with a rule like this:
iptables -A INPUT -i eth0 -p TCP --dport 3306 -j DROP
This would drop anything heading for port 3306 (assuming that is what you are running mysql on) that is coming from your ethernet card (again assuming your external connection is on eth0). Unless I'm completely mistaken, this should still allow localhost to access mysql.
Is there any sort of newbies guide to iptables anywhere? All i need to do really is know how to allow access to certain ports (TCP) on my ethernet card. i.e. to allow requests on port 80, 23, 21, etc etc.
There is also the iptables tutorial at FrozenTux. It is kind of heavy going, but pretty much everything you need to know is in there somewhere.
However, opening up specific ports is pretty easy. Personally, I think it is best to lock everything down by having the table defaults set to DROP like this:
That way everything gets dumped except the traffic that you specifically allow. To my way of thinking that is much better than allowing everything and only denying the things you think of.
Umm, there is one problem with the above tip. It seems i cant access anything from the box any more. I.e. mozilla wont work, apt-get wont work, they dont resolve host names. What should i make unblocked to allow me to use www browsers and apt-get?
You need to allow NEW, ESTABLISHED and RELATED packets through the firewall. So on my input chain, I've got these two rules:
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED, RELATED -j ACCEPT
You also might need:
iptables -A INPUT -p tcp --syn -j ACCEPT
And on the OUTPUT chain I do the same thing only the --state is NEW,ESTABLISHED,RELATED for both tcp and udp:
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Rather than looking at specific ports, these rules look at the state of the packet and NEW,ESTABLISHED and RELATED states are all states from connections originating within your computer so someone from the outside can't use them to get in. See the FrozenTux tutorial for the fine details.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.