[SOLVED] Debian 8 - iptables

morphix · 07-06-2015, 10:48 PM

Hi Guys,

I have recently installed a new server with Debian 8 (previously been using Ubuntu and Debian 7).

I have added only 1 or 2 iptables rules on INPUT chain only, not FORWARD or OUTPUT and then added default DROP policy.

What i've found, for some reason i can ping an internal IP (eg. router, or another server) but i cannot ping anything externally nor connect either internal or external via http, dns, etc (hostname or IP).

The rules are (3rd all rule being, for lo interface):

Quote:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.2.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I'm a little baffled by this behaviour and need some guidance.

lazydog · 07-07-2015, 01:10 PM

Run the following command and then paste the paste the contents of the file.

Code:

 iptables-save > /etc/iptables.up.rules

morphix · 07-07-2015, 05:53 PM

I should have done that first, but there it is:

Quote:

*filter
:INPUT DROP [26408:5102000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [922:110412]
-A INPUT -s 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

As you can see, nothing is touching OUTPUT, but it seems to be getting blocked for some reason (except ping to LAN IPs)

lazydog · 07-08-2015, 11:09 AM

Hopefully your server only has one interface. If not the you need to add to the firewall rules which interface the rule should apply to. Looking at your rules you only allow a non-routed IP to your system via ssh.

Maybe you could give this a try

Code:

*filter
:INPUT DROP [26408:5102000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [922:110412]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -s 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT 
COMMIT

Also check your routing table to ensure all your routes are correct;

Code:

route -n

morphix · 07-08-2015, 11:09 PM

Yes, at this point only SSH inbound from local network only inbound.

The odd thing, i'm not touching OUTPUT so i don't know why it would be blocking it.

This machine is single interface only.

The routing is correct, as if i do:

Code:

iptables -P INPUT ACCEPT

I get outbound traffic working again, which is bizarre.

lazydog · 07-09-2015, 09:37 AM

Your rules were not/are not Stateful based. Which means while you allowed everything out you were only allowing 22 back in locally. By switching to Stateful (what I have supplied) your return traffic is allowed because of the ESTABLISHED,RELATED rule.

morphix · 07-12-2015, 07:27 PM

Thanks mate, this worked a dream.

lazydog · 07-16-2015, 07:03 AM

Glad I could help. Please mark this thread as resolved.