IPTables configuration

bluepepsi · 11-20-2010, 12:12 AM

Please help me with my IPTables configuration. I need to let UDP ports 27010:27080, 9987, 3306 in, and all ports out.

This is my current IPTables configration.

Code:

# Generated by iptables-save v1.3.5 on Thu Nov 18 08:37:37 2010
*filter
#:INPUT ACCEPT [2702967:168130693]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2654022:385250626]
COMMIT
# Completed on Thu Nov 18 08:37:37 2010
# Generated by iptables-save v1.3.5 on Thu Nov 18 08:37:37 2010
*mangle
:PREROUTING ACCEPT [2729744:169775256]
#:INPUT ACCEPT [2729744:169775256]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2655506:385560864]
:POSTROUTING ACCEPT [2655503:385560612]
COMMIT
# Completed on Thu Nov 18 08:37:37 2010
# Generated by iptables-save v1.3.5 on Thu Nov 18 08:37:37 2010
*nat
:PREROUTING ACCEPT [804243:43981102]
:OUTPUT ACCEPT [15128:1873906]
:POSTROUTING ACCEPT [15125:1873654]
COMMIT
# Completed on Thu Nov 18 08:37:37 2010

# other
-A INPUT -p udp -m udp --dport 27010:27080 -j ACCEPT 
-A INPUT -p udp -m udp --dport 3306 -j ACCEPT
-A INPUT -p udp -m udp --dport 9987 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Could you please help me accomplish this?

grzesiek · 11-20-2010, 04:48 AM

iptables -L -nv ?
INPUT default is ACCEPT?

Pencils · 11-20-2010, 06:51 AM

I don't know a great deal about these things, so I could be mistaken, but it looks to me like your firewall is accepting all connections in all directions, so essentially it's behaving as if it's switched off. It oughtn't be stopping your services over the given ports; however, for security reasons you may wish to adjust it so as to block inbound access on ports you're not using (otherwise it might as well be turned off), for example by changing the policy for the INPUT chain to REJECT (run the following commands from a terminal with root privileges):

Code:

# iptables -P INPUT REJECT

Or by adding a final rule to the ruleset that will accomplish the same thing:

Code:

# iptables -A INPUT -j REJECT

Note that in both these cases you will want to allow explicitly any other ports that you are using, as well as telling it to allow established connections back through the net (so that outbound requests can get a response):

Code:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I stress that you should add this and any other "ACCEPT" rules before adding a default deny rule (the second option above); any rules after the latter will not take effect (because no packets would ever make it that far down the chain, all having previously met the criteria for rejection).

You are advised to double-check the validity of this advice with your local manual.

user100 · 11-20-2010, 06:53 AM

It looks like its working but you could add or modify the last rules to:

Code:

iptables -A INPUT -p tcp -i eth0 --dport 27010:27080 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 9987 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 3306 -m state --state NEW -j ACCEPT

To see if it worked properly try what you're wanna use it for or port scan it to see what results it provides.