Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am just starting on IPTables and already running into issues
I have this
Code:
1- sudo iptables -P OUTPUT DROP
2- sudo iptables -A INPUT -p tcp -s 10.0.0.100 --dport 22 -j ACCEPT
3- sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 22 -j DROP
4- sudo iptables -A INPUT -p tcp -s 10.0.0.155 -j ACCEPT
5- sudo iptables -A INPUT -p udp -s 10.0.0.155 -j ACCEPT
6- sudo iptables -A INPUT -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
7- sudo iptables -A OUTPUT -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
But this allows for example other IP addresses to connect via PORT 22 to the machine, which I thought I BLOCK via Rule Number 3, but my guess is that either RULE 6 or Rule 7 cancels this. Correct??
And If I remove RULES 6 and 7 then I even can't connect to the machine via SSH can't even PING IT!
Clarification, .100 is my PC, .155 is my NAS, my local subnet is 10.0.0.0/24
TiA
Edit: PS No other Rules exists (done a iptables -F and everything else INPUT/OUTPUT/FORWARD is set to accept before starting)
1. When using -P OUTPUT DROP one must specify where OUTPUT is accepted. (remove rule 7 and output's all dropped)
2. When not using -P INPUT DROP then input is accepted and one must only specify which input is dropped.
So, your INPUT ACCEPT rules do nothing if -P INPUT (policy) is set to ACCEPT.
And your -P OUTPUT (policy) DROP will drop output of -p (protocol) icmp unless you specify the ACCEPT rule for icmp.
There's plenty of other stuff wrong with, but I hope this helps a bit.
In addition, basically rules operate in order. -A appends the rule to the end of the chain so it depends on how they were added. Are you using a shell script or just typing them in on the command line? If using a script post its exact contents using code tags. To see the order run the command
iptables -L --line-numbers
To block ssh for incoming connections I would use:
iptables -A INPUT -i [interface name] -p tcp --dport 22 -j DROP
You also need to understand how basic server communications work. Basically the client talks to the server on one port, for ssh it is 22 by default and the server responds on another port. These ports are called ephemeral ports and it depends on the operating system but linux typically uses 32768–60999. This is why you need rule 6.
As posted with an output policy of drop nothing gets out without a specific rule. Much easier to learn if you reverse and use a policy of accept for output and drop for input.
I simply use shorewall to do the heavy lifting for me. I specify what I want using fairly-simple configuration files, and it spits out and applies the right set of rules. Perfect.
As michaelk points out, it is more useful and less error prone to view the rules as they actually exist in your kernel rather than as the commands used to insert them. To repeat how to do that:
Code:
iptables -L --line-numbers
Nftables is intended to replace iptables, but there is no urgency to change if you have some iptables knowledge. (I have found nftables a bit more difficult to work with than iptables, which may be due in part to my own old habits, but simply changing from one to the other does not instantly solve most problems.)
You have posted a set of rules then stated that they do not work, but have not clearly stated how you want them to work. You will find it a useful exercise to yourself, and in communicating your problems to others, to write out in simple human language how you want your rule set to work. For example:
Code:
My firewall should do the following -
Accept incoming SSH on port 22 only from my PC (10.0.0.100), reject from anywhere else
Accept all tcp and udp traffic between NAS (10.0.0.155) and this machine
Reject everything else
You would then have a "specification" to implement with your rules and to communicate to others, and to test your results against. Then when you need to add some new traffic, start by adding it to the spec!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.