[SOLVED] iptables help for centos 6.8

lzande · 07-03-2016, 11:37 PM

Hello all. Sorry if this has been posted before. I'm new to iptables and I'm having an issue with them. My iptables when on, are blocking yum and wget. Can anyone help me? Below is my current /etc/sysconfig/iptables file:

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [124:7812]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT

#allow outside users to Ping us
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#ssh
-A INPUT -p tcp -m tcp --dport 2927 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22  -m state --state NEW,ESTABLISHED -j ACCEPT

#apache
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

#loopback
-A INPUT -i lo -j ACCEPT

#dns
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

#sendmail
-A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

#prevent the Denial of Service (DoS)
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

#allow outside users to Ping us
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

#ssh out
-A OUTPUT -p tcp -m tcp --sport 2927 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#apache out
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

#loopback out
-A OUTPUT -o lo -j ACCEPT

#dns out
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT

#sendmail out
-A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

#unknown rules
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

COMMIT

lazydog · 07-05-2016, 12:01 PM

Rules are read top to bottom. As such some things you have are not required or not working as you would have expected them too.

Because of this rule:

Code:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You don't have to add ESTABLISHED to your other rules.

This rule

Code:

-A INPUT -p icmp -j ACCEPT

Makes this rule useless

Code:

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

This rule should always be the fist rule in every chain:

Code:

-m state --state RELATED,ESTABLISHED -j ACCEPT

You can try the fllowing rules which should do what you wanted to do and allow your outbound connections:

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [124:7812]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2927 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22  -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# If you are running a DNS server then uncomment the following line
#-A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW -j ACCEPT
# If you are running a mail server then uncommant the following
#-A INPUT -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

You should read this IPTABLES TUTORIAL to help you out.

lzande · 07-05-2016, 05:01 PM

Thanks for all the help lazydog. Your rule set worked. How did you get so good at iptables.

lazydog · 07-07-2016, 11:55 AM

Reading that tutorial listed above along with trial and error