LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-11-2013, 01:56 AM   #1
met0555
LQ Newbie
 
Registered: Apr 2013
Posts: 2

Rep: Reputation: Disabled
iptables firewall rule


Hi,

I'm trying to set iptables firewall rules. But i'm having a problem , after applying my rules, it blocks all the connections, i'm not sure why.

I have 3 pcs
PC1
eth0=192.168.111.2

, PC2
eth0= 192.168.111.1
eth1=10.20.0.1

, PC3
eth0= 10.20.0.2

PC2 is connected to PC1 and PC2, and IP forwarding is turned on.

So when there is no firewall rule everything works but after applying it blocks everything , i can't ping ... i'm not sure what i'm missing

Code:
#PC1 to PC3 web server
iptables -A FORWARD -p tcp -s 192.168.111.2 --dport 80 -d 10.20.0.2 -j ACCEPT


#PC1 to PC3 ssh server 
iptables -A FORWARD -p tcp -s 192.168.111.2 -d 10.20.0.2 --dport 22 -j ACCEPT

#PC3 to  PC2 ssh server
iptables -A INPUT -p tcp -s 10.20.0.2 -d 10.20.0.1 --dport 22 -j ACCEPT

#PC1 to PC3 ICMP ping
iptables -A FORWARD -s 192.168.111.2 -d 10.20.0.2 -p icmp --icmp-type echo-request -j ACCEPT


#10.20.0.0/16 to PC1 ICMP ping
iptables -A FORWARD -p icmp --icmp-type echo-request -s 10.20.0.0/16 -d 192.168.111.2 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -s 10.20.0.0/16 -d 192.168.111.2 -j ACCEPT

# drop everything else
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
thank you
 
Old 04-11-2013, 03:17 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
you're not doing any connection tracking. Whilst you're allowing an echo-request, you're not allowing the implicit response back. Did you delete the state rules that were probably there by default?

http://wiki.centos.org/HowTos/Networ...2796f3ce60c730
 
Old 04-11-2013, 08:33 AM   #3
met0555
LQ Newbie
 
Registered: Apr 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
will this fix that issue
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and yes i delete all previous rules.

thx
 
Old 04-17-2013, 12:09 PM   #4
shizzles
LQ Newbie
 
Registered: Jun 2005
Location: Chicago
Distribution: Ubuntu Server & Debian 6
Posts: 23

Rep: Reputation: 1
Since the default policy is to drop everything, you need to also allow icmp echo-reply from destination to source.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall iptables rule jitendra.sharma Linux - General 2 03-14-2013 05:53 AM
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 04:33 PM
[SOLVED] [FIREWALL] confused about setting up a specific rule using iptables cryptoboss Linux - Security 4 04-14-2011 10:22 AM
canceling all iptables rule withous diable firewall zodehala Linux - Networking 1 03-07-2009 11:59 AM
iptables firewall rule question xxrsc Linux - Networking 8 06-07-2006 03:57 PM


All times are GMT -5. The time now is 04:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration