LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-07-2009, 10:19 AM   #1
spixx
LQ Newbie
 
Registered: Apr 2009
Posts: 5

Rep: Reputation: 0
Iptables letting some traffic trough but not all


Okay I have a server which I want to be able to use SSH, FTP, WWW and a COD(call of duty) server on. All is working but being paranoid I've also added a firewall (iptables) and added a bunch of rules from different guides over the Internet. I've read up about iptables and how the ruleset works but I can't seem to understand why my server suddenly hates me so totaly. I'm totaly shut-out from ssh, ftp (blaming my non-existant pasvports for that) but the WWW works just fine, so my thought was that ssh needs a pasv port-range like ftp? In any case the COD server doesnt work either on the standard port 28960.

So my question is how much of my file is wrong ?

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            icmp address-mask-reply 
DROP       icmp --  anywhere             anywhere            icmp address-mask-request 
DROP       icmp --  anywhere             anywhere            icmp router-solicitation 
DROP       icmp --  anywhere             anywhere            icmp router-advertisement 
DROP       icmp --  anywhere             anywhere            icmp redirect 
DROP       all  --  127.0.0.0/8          anywhere            
DROP       all  --  192.168.0.0/16       anywhere            
DROP       all  --  172.16.0.0/12        anywhere            
DROP       all  --  10.0.0.0/8           anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
interfaces  all  --  anywhere             anywhere            
open       all  --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
DROP       all  -f  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       icmp --  anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain interfaces (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain open (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:22113 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10092 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:28960
 
Old 04-07-2009, 01:37 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You could get rid of all those DROP rules and user-built chains, then stick a LOG rule at the end of your INPUT chain to see what the filtered packets look like. Also, keep in mind that building an iptables script out of "a bunch of rules from different guides over the Internet" is probably not a very good idea.
 
Old 04-07-2009, 02:31 PM   #3
spixx
LQ Newbie
 
Registered: Apr 2009
Posts: 5

Original Poster
Rep: Reputation: 0
No I've made some adjustments and started using a AUR (archlinux) packages called firetable. I will tell you if I fail at this to
 
  


Reply

Tags
iptables, lockout, rules, server


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN Tunnel all Traffic trough VPN bdegier Linux - Networking 1 02-25-2009 05:55 PM
What is the best way to log traffic trough firewall? G-Fox Linux - Networking 3 05-04-2005 02:55 PM
What is the best way to log traffic trough firewall? G-Fox Linux - Security 2 04-28-2005 02:16 PM
What is the best way to log traffic trough firewall? G-Fox Linux - Newbie 6 04-27-2005 09:41 AM
Iptables letting packets through? mccomber Linux - Security 9 08-05-2003 08:13 AM


All times are GMT -5. The time now is 10:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration