iptables locks me out, but only on one server

mkools · 07-13-2013, 08:56 PM

This is weird, I have 2 VPS servers, OpenVZ, both CentOS 6.4 x64, they're exactly the same.
This is the iptables script I'm using (Purpose: allow all outgoing, restrict mysql, allow SSH)

Code:

#!/bin/bash --
LANG=C; LC_ALL=C; export LANG LC_ALL
iptables -F; iptables -X

# List policies first
iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT ACCEPT

# Always allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Performance-wise let this back in early:
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

# Allow public services
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Allow MySQL only from specific networks
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 1.1.1.1/24 --dport 3306 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 2.2.2.2/24 --dport 3306 -j ACCEPT

# No traffic should reach this line
iptables -A INPUT -j LOG --log-prefix "IN_LEFTOVERS "
iptables -A OUTPUT -j ACCEPT

# Always end a script the right way
exit 0

Now, I run this on one machine and everything is fine. Everything works. When I run it on the other machine the system locks me out completely and I have to flush the rules to regain access, SSH, MySQL everything gets blocked.

What am I doing wrong?

Thanks!

Ser Olmy · 07-14-2013, 01:32 AM

Having both -m tcp and -p tcp seems redundant. Other than that it looks fine.

Actually, the man pages list the syntax for the "tcp" match as -m tcp --protocol tcp, which should be equivalent to -p tcp. Could it be that the problematic server has a version of iptables that chokes on -m tcp -p tcp? That would certainly explain why you get locked out, as the remaining rules don't allow anything but connections matching the ESTABLISHED condition.