LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Iptables isn't allowing any outgoing connections (https://www.linuxquestions.org/questions/linux-security-4/iptables-isn%27t-allowing-any-outgoing-connections-718344/)

lemx 04-10-2009 07:15 PM
Iptables isn't allowing any outgoing connections
 
I have a vps which is on an openvz system and it's running centos 5.3 fully patched. Iptables is setup for used in the VEs and I'm not exceeding numiptent. I'm using the iptables rules found at http://www.groovygrails.de/blog/groo...our_vps_with_a
which seems to be exactly what I want. When I have it loaded websites, email, ftp, ssh everything works. From my understanding of the script it should allow all outgoing connections. The problem comes when I ssh in I can't get any outgoing connections, no dns lookups, no ftp, no http, yum doesn't work (can't resolve), no pings no traceroutes, nothing. If I disable iptables I have outgoing connections so I think that's where the problem lays.

This is the ouput from iptables -L with it loaded:
Code:
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:https
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:smtp
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:smtps
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imap
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3s
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imaps
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ftp
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP      tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,ACK/FIN
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request limit: avg 1/sec burst 5
DROP      icmp --  anywhere            anywhere           

Chain FORWARD (policy DROP)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
I've been reading man pages and websites but I can't find a reason for this to be happening. I'd welcome any solutions or if anyone has any ideas that I can use to troubleshoot.

Thanks

lemx 04-10-2009 09:41 PM
I've done some more troubleshooting and using tcpdump I can see the outgoing dig (for example) requests and I see the incoming packets from the dns server in tcpdump while dig reports a time out. So it looks like my problem is with the input filters. Time to start troubleshooting them.

edit: looks like my -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT isn't seeing the related connections at all, where do I go from here?


All times are GMT -5. The time now is 04:36 AM.