iptable help please?

TigerIvy · 04-22-2012, 08:02 PM

I am kinda a linux noob I guess (lol) and I am having problems wrriting my iptables. I either lock myself out or it doesn't work. What I am trying to do is only allow specific ip address to access ports 3306 and 22, everyone to access ports 80 and 29000 and block all other ports. This is what I have but there is an error (or 100) somewhere. Thanks in advance for the help!

-I INPUT --src 123.123.123.123 -m tcp -p tcp --dport 3306 -j DROP
-I INPUT --src 123.123.123.123 -m tcp -p tcp --dport 3306 -j DROP
-I INPUT --src 123.123.123.123 -m udp -p tcp --dport 3306 -j DROP
-I INPUT --src 123.123.123.123 -m udp -p tcp --dport 3306 -j DROP
-I INPUT --src 123.123.123.123 -m tcp -p tcp --dport 22 -j DROP
-I INPUT --src 123.123.123.123 -m tcp -p tcp --dport 22 -j DROP
-I INPUT --src 123.123.123.123 -m udp -p tcp --dport 22 -j DROP
-I INPUT --src 123.123.123.123 -m udp -p tcp --dport 22 -j DROP
-A INPUT -p tcp -i eth0 -s ! 123.123.123.123 --dport 22 -j DROP
-A INPUT -p tcp -i eth0 -s ! 123.123.123.123 --dport 3306 -j DROP
-A INPUT -p udp -i eth0 -s ! 123.123.123.123 --dport 53 -j DROP
-A INPUT -p tcp -i eth0 -s ! 123.123.123.123 --dport 53 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 0:79 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81:3305 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3307:28999 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 29000:65535 -j DROP
-A INPUT -m state --state NEW -m udp -p tcp --dport 0:79 -j DROP
-A INPUT -m state --state NEW -m udp -p tcp --dport 81:3305 -j DROP
-A INPUT -m state --state NEW -m udp -p tcp --dport 3307:28999 -j DROP
-A INPUT -m state --state NEW -m udp -p tcp --dport 29000:65535 -j DROP
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 5 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -j DROP
COMMIT

kbp · 04-22-2012, 09:23 PM

Iptables will use the first rule that a packet matches, going by your post you want to DROP everything except icmp. Using DROP as a target means to throw away the matching packet and not to respond to the source - try changing some of your DROP's to ACCEPT's.

Noway2 · 04-23-2012, 04:47 AM

Based upon your post, here is an example of what I think you are trying to achieve (based upon a policy set to accept, which is safer against self lockout):

Code:

-A INPUT --src 123.123.123.123 -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT --src 123.123.123.123 -m tcp -p tcp --dport 22   -j ACCEPT
-A INPUT --src 456.456.456.456 -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT --src 456.456.456.456 -m tcp -p tcp --dport 22   -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80   -j ACCEPT
-A INPUT -m tcp -p tcp --dport 2900 -j ACCEPT
-j DROP

This will allow '123' and '456' to access 3306 and 22, everyone to access 80 and 2900, everything else is denied.