LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-10-2009, 08:15 PM   #1
lemx
LQ Newbie
 
Registered: Apr 2009
Posts: 2

Rep: Reputation: 0
Iptables isn't allowing any outgoing connections


I have a vps which is on an openvz system and it's running centos 5.3 fully patched. Iptables is setup for used in the VEs and I'm not exceeding numiptent. I'm using the iptables rules found at http://www.groovygrails.de/blog/groo...our_vps_with_a
which seems to be exactly what I want. When I have it loaded websites, email, ftp, ssh everything works. From my understanding of the script it should allow all outgoing connections. The problem comes when I ssh in I can't get any outgoing connections, no dns lookups, no ftp, no http, yum doesn't work (can't resolve), no pings no traceroutes, nothing. If I disable iptables I have outgoing connections so I think that's where the problem lays.

This is the ouput from iptables -L with it loaded:
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 
DROP       icmp --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
I've been reading man pages and websites but I can't find a reason for this to be happening. I'd welcome any solutions or if anyone has any ideas that I can use to troubleshoot.

Thanks
 
Old 04-10-2009, 10:41 PM   #2
lemx
LQ Newbie
 
Registered: Apr 2009
Posts: 2

Original Poster
Rep: Reputation: 0
I've done some more troubleshooting and using tcpdump I can see the outgoing dig (for example) requests and I see the incoming packets from the dns server in tcpdump while dig reports a time out. So it looks like my problem is with the input filters. Time to start troubleshooting them.

edit: looks like my -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT isn't seeing the related connections at all, where do I go from here?

Last edited by lemx; 04-10-2009 at 11:58 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables problem allowing incoming connections ikinnu Linux - Networking 1 07-17-2008 06:42 AM
iptables: should I ACCEPT incomming pakets for my outgoing connections? iflorea Linux - Networking 2 08-11-2006 07:51 AM
Allowing connections to port 8080 in iptables apache363 Linux - Software 1 10-12-2004 03:14 PM
Allowing Outgoing ports in Smoothwall 0.9.9 AndyShark Linux - Security 2 10-06-2002 09:07 AM
Allowing outgoing ports in Smoothwall 0.9.9 AndyShark Linux - Networking 3 10-05-2002 06:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration