Hi I have my iptable entries as below.

i want to all the required incoming connections and then drop all the incoming after that. my output is accept all. still facing issue where one of the nodes running OEM manager unable to connect to the server. Do I need to create specific output chain rules as well??

ptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source>/24 -d <destination> -p tcp --match multiport --dports 22,5901,17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 7092 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth2 -s <source> -d <destination> -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --match multiport --dports 22,3872 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d <destination> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s <destination> -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s <destination> -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d <destination> -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

Hi there,

I assume the policy (-p) for OUTPUT is ACCEPT? If so, you don't need to create specific output chain rules as well.

Can you elaborate on the interfaces (eth0 vs eth2)? Via which interface and on which port is the traffic in question coming into the server? Are you sure it is the firewall that is blocking the connection in question?

It might be an idea to add some logging to try and confirm whether and where the packets are begin dropped. Something like this just before the last rule above should help:

Regarding ICMP packets, it looks like you're blocking everything except for some pings. It is generally not a good idea to block most ICMP packets, as they are required for the proper operation of your connections. Think for example about redirects, fragmentation & TTL exceeded. I'm also not sure that state makes sense for ICMP packets (but might be missing something here).

I hope this helps.

Hi cliffordw

thanks for the reply. Yes my default output policy is ACCEPT. I have enabled the logging and I see that the packets are being dropped. I am sure that firewall is dropiing them because as soon as I shut it down the communication goes through and its evident in the logs now.

In fact the packets are being dropped for many hosts as I see the logs. the ports are ssh, oem agent, vnc etc. the interface is eth0 and eth2. primary and backup.

please advise. thanks for your help.

On sone connections you don't include the --state RELATED on some you do. Maybe you should clean that up. And while at it just create a rule for --state NEW and not --state NEW,ESTABLISHED,RELATED. Then create a global --state rule like this

Also accepting any connection on your fall back interface from a special IP kinda defies the sense of iptables.

Hi,

What exactly are you seeing in the logs?

My suggested logging commands were a little misleading: "OUTPUT_DROP" isn't dropping anything, just logging all packets reaching the end of the chain. It's probably best to change that to "OUTPUT_ACCEPT". Sorry for the confusion on that!

If the log messages are tagged with "INPUT_DROP", what are the details - interface, protocol, port, etc?

Have you eliminated ICMP packets are the cause of the problem, either by changing the ICMP rules are I suggested, or with "--state RELATED" as zhjim suggested?

OK thanks for your input

my problem with the OUTPUT chain is solved now. but i still have one issue. here it is

iptables -A INPUT -i eth0 -s 192.168.x.x/24 -d <destnation> -p tcp --dport 5901 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -o eth2 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

now I am not able to VNC to the server <destination> from my local network. if I flush all the then just run the first line i can connect to VNC. but in this order when after all the allowed connection i want to drop all the incoming connections i am not able to do that.

Hi cliffordw

I know the commands you gave were more of prefixes and have modified those. Yes the icmp rules are disabled now and now i dont see any packet drops in the logs.. but considering the above snippet i am not able to connect to the vnc port as mentioned above if i drop all the input at the end.

Hi,

Let's simplify first: you don't need any "-I OUTPUT ... -j ACCEPT" rules at all if the policy is ACCEPT.

For the "--state ESTABLISHED,RELATED" rule, there is no need to specify an interface.

To troubleshoot your problem, are you still logging what gets blocked? If so, look in the logs for messages are tagged with "INPUT_DROP" and containing your IP address. What do they say?

What rules do you have in place for traffic on the loopback interface?

thanks for bearing with me thanks for the help

I believe I need the "-I OUTPUT ... -j ACCEPT" rules because if I dont do that it starts dropping the output packets for which I have not defined any INPUT rule.

interestingly there are no INPUT_DROP messages in the log. still i can't connect to VNC port from local LAN.

let me tell you my requirement

• allow all communication on loopback
• accept communication from certain IPs on certain ports
• after this reject all input traffic
• allow all the output traffic (since there are some IP's which i dont want to block the output communication for)

here are my rules

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <subnet/LAN>/24 -d <destination> -p tcp --match multiport --dports 22,5901,17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 17101 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <source> -d <destination> -p tcp --dport 7092 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -s <subnet/LAN>/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -o eth2 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j LOG --log-prefix OUTPUT_DROP -m limit --limit 5/s
iptables -A INPUT -j LOG --log-prefix INPUT_DROP -m limit --limit 5/s

Hi.

I think i found what the issue is.. i am behind a network firewall and when traffic goes through my desktop it gets a NATed IP and so if I drop the input chain it basically does not allow any connections.

please let me know how can i allow all the input and output traffic for NAT

So this box is used as a router. You should be looking at the FORWARD chain and not the INPUT or OUTPUT chain. Packets that pass through only go through the FOWARD chain.

I just went a head and rewrote the rules to better suite a statefull firewall. Nothing fancy just made a global --state rule for all established and related connections. Also cleaned up the other states so they only neeed --state NEW.
The -j REJECT rules at the bottom you should choose one from. Does not really matter really which one.
You should now be able to set the default policies of INPUT and OUTPUT to DROP or REJECT.
Regarding the natting. It might be hard to set an explicit -s ip.ad.dr.es due to it beein non static. Means you can't tell for sure if you always have the same ip after NAT. Maybe add a -j LOG before the rule where you only allow a single source address and see if it stays the same. (Also this is no prove that it won't change in future).
You might also hid a brick wall with the intermediate firewall. Try to get those ports open that you need. (You have to ask the person responsible for it)