Iptables isn't allowing any outgoing connections

lemx · 04-10-2009, 07:15 PM

I have a vps which is on an openvz system and it's running centos 5.3 fully patched. Iptables is setup for used in the VEs and I'm not exceeding numiptent. I'm using the iptables rules found at http://www.groovygrails.de/blog/groo...our_vps_with_a
which seems to be exactly what I want. When I have it loaded websites, email, ftp, ssh everything works. From my understanding of the script it should allow all outgoing connections. The problem comes when I ssh in I can't get any outgoing connections, no dns lookups, no ftp, no http, yum doesn't work (can't resolve), no pings no traceroutes, nothing. If I disable iptables I have outgoing connections so I think that's where the problem lays.

This is the ouput from iptables -L with it loaded:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 
DROP       icmp --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I've been reading man pages and websites but I can't find a reason for this to be happening. I'd welcome any solutions or if anyone has any ideas that I can use to troubleshoot.

Thanks

lemx · 04-10-2009, 09:41 PM

I've done some more troubleshooting and using tcpdump I can see the outgoing dig (for example) requests and I see the incoming packets from the dns server in tcpdump while dig reports a time out. So it looks like my problem is with the input filters. Time to start troubleshooting them.

edit: looks like my -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT isn't seeing the related connections at all, where do I go from here?