LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page iptables INPUT Chain default policy to drop block Intellij IDE connection
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-04-2023, 03:15 AM   #1
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Rep: Reputation: 31
Cool iptables INPUT Chain default policy to drop block Intellij IDE connection

Dear all forumer, I would like to set the INPUT, Forward and OUTPUT chain default policy to drop and enable outgoing connection only but when i set the INPUT chain policy to drop, my intellij IDE automation testing script is not able to run. Now, I need to set three chains to ACCEPT policy.

I don't have sshd nor web server. It just a workstation.

Why is like this? How to properly set the iptables block all incoming and allow all outgoing? Please share the rules and command.

Below is the example rules getting from internet:

Quote:
iptables -A INPUT -j DROP
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp -m tcp -dport 80 -m state-state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m tcp -dport 443 -m state-state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable


iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT



----------------------------------------------------------
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


iptables -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -N LOGGING


iptables-save > /etc/sysconfig/iptables
By the way, I'm using Centos Stream 9 with firewalld-cmd enable. Is the firewalld strong enough to block incoming hacking connection.

I'm reading some articles about iptables saying When you make both INPUT, and OUTPUT chain’s default policy as DROP, for every firewall rule requirement you have, you should define two rules. i.e one for incoming and one for outgoing.

How to do that? https://www.thegeekstuff.com/2011/06...ules-examples/


Please help. Thanks in advance.
Last edited by Peter_APIIT; 03-04-2023 at 04:05 AM.
 
Old 03-04-2023, 05:49 AM   #2
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
I still not able to solved the intellj IDE automation testing open chrome problems. What rules should i add?

Quote:
# Generated by iptables-save v1.8.8 (nf_tables) on Sat Mar 4 19:47:18 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A INPUT -m set --match-set crowdsec-blacklists src -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.0.0/24 -j DROP
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -j DROP
Please help. Thanks in advance.
Last edited by Peter_APIIT; 03-04-2023 at 07:02 AM.
 
Old 03-04-2023, 02:44 PM   #3
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
Anyone please help... Thanks in advance.
 
  


Reply

Tags
iptables



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] If iptables default policy is DROP, does that stop all traffic? JockVSJock Linux - Security 16 04-01-2016 12:30 PM
"iptables Default Policy DROP - can't browsing.." budi.mulyana Slackware 6 02-05-2016 05:37 AM
Is it necessary to drop specific flags in IPTABLES with an INPUT DROP policy? rootaccess Linux - Networking 5 08-22-2012 08:10 PM
iptables question: default DROP policy and TCP Three Way Handshake johnnygear Linux - Networking 5 04-22-2012 08:38 PM
iptables good packet chain (instead of bad packet chain) win32sux Linux - Security 6 11-06-2008 06:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:18 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration