Iptables letting some traffic trough but not all

spixx · 04-07-2009, 10:19 AM

Okay I have a server which I want to be able to use SSH, FTP, WWW and a COD(call of duty) server on. All is working but being paranoid I've also added a firewall (iptables) and added a bunch of rules from different guides over the Internet. I've read up about iptables and how the ruleset works but I can't seem to understand why my server suddenly hates me so totaly. I'm totaly shut-out from ssh, ftp (blaming my non-existant pasvports for that) but the WWW works just fine, so my thought was that ssh needs a pasv port-range like ftp? In any case the COD server doesnt work either on the standard port 28960.

So my question is how much of my file is wrong

?

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            icmp address-mask-reply 
DROP       icmp --  anywhere             anywhere            icmp address-mask-request 
DROP       icmp --  anywhere             anywhere            icmp router-solicitation 
DROP       icmp --  anywhere             anywhere            icmp router-advertisement 
DROP       icmp --  anywhere             anywhere            icmp redirect 
DROP       all  --  127.0.0.0/8          anywhere            
DROP       all  --  192.168.0.0/16       anywhere            
DROP       all  --  172.16.0.0/12        anywhere            
DROP       all  --  10.0.0.0/8           anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
interfaces  all  --  anywhere             anywhere            
open       all  --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
DROP       all  -f  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       icmp --  anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain interfaces (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain open (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:22113 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10092 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:28960

win32sux · 04-07-2009, 01:37 PM

You could get rid of all those DROP rules and user-built chains, then stick a LOG rule at the end of your INPUT chain to see what the filtered packets look like. Also, keep in mind that building an iptables script out of "a bunch of rules from different guides over the Internet" is probably not a very good idea.

spixx · 04-07-2009, 02:31 PM

No I've made some adjustments and started using a AUR (archlinux) packages called firetable. I will tell you if I fail at this to