[SOLVED] Iptables debachle im going through

szboardstretcher · 09-02-2013, 11:30 PM

I have no excuse,.. its late, im hungry,.. etc.

But I cannot figure out my issue here. It must be the ordering but im not seeing it, and i keep locking myself out of my box. Can someone take a glance and fix me please? Basically, where should I be putting my allow dst port rules?

Code:

cat > /etc/network/iptables.rules << EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [144:26289]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctsate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m onntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unrachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
# Guessing this group is in the wrong place#
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 81 -j ACCEPT
-A INPUT -p tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp --dport 6379 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp --dport 8082 -j ACCEPT
-A INPUT -p tcp --dport 8083 -j ACCEPT
-A INPUT -p tcp --dport 8084 -j ACCEPT
-A INPUT -p tcp --dport 9418 -j ACCEPT
##
-A INPUT -j REJECT --reject-with icmp-proto-unrachable
COMMIT
EOF

unSpawn · 09-03-2013, 01:03 AM

Apart from better posting 'iptables-save' output, something like this?

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m multiport --dports 22,80,81,3000,6379,8080:8084,9418 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A OUTPUT -o lo -j ACCEPT
COMMIT

szboardstretcher · 09-03-2013, 09:23 PM

That was it thank you. Have some more rep!