Newbie question about IPtables script
I'm having trouble with all traffic being blocked to my server whenever the ipables service is started (which always happens on a reboot). I have not yet altered any of the default values in IPtables, so I am unsure why this is happening.
I am running CentOS 6.3, and just installed the Plesk firewall GUI module, but have not changed the default settings on that either. I am perfectly willing to do the weeks of work necessary to learn IPTables etc. but for this moment, I'm pretty desperate just to get it to stop blocking everything and locking me out in the meantime. Can anyone who is knowledgeable about IPTables look at the following "iptables.save" and let me know what is blocking everything, and point me in the right direction? I'm sure that if I could just get some initial "mentoring" on this, I could take it from there. I just need some guru to hold my hand a bit at first. So what I have is this: Code:
# Generated by iptables-save v1.4.7 on Thu Jan 10 17:45:19 2013 So what's killing all communication here??? |
Traffic got filtered due to something (or somebody ;-p) mucking with the default rule set. This is what /etc/sysconfig/iptables looks like out of the box:
Code:
# Firewall configuration written by system-config-securitylevel |
Thanks! That is very helpful...as well as disturbing to see how much it's been messed up.
I basically need to allow: - web access (port 80, and https) - SMTP and POP - SSH - FTP - access to port 3306 *only to the server's own IP*, to enable MySQL via localhost only. I'll see if I can figure out how to do that, but if you want to help me along a bit in accomplishing that, I'd certainly not be apposed to any added help. I really want to lock things down very well, but not block the vital ports and services. Also, how do I apply these settings to IPTables? What is the best way? Thanks again. |
Opening a port on iptables is very easy, i am sure that you have already found out how to do it.
I would just wanted to warn you about port 80 and port 22. Be aware of them, there are a tricky ports. Also using mapped ports, would be better. |
Quote:
There is noting wrong with your current configuration. it is not connecting to the server due to missing rules. If you add the rules according to your requirement will solve the issue. I have added the rule for ssh, so you can do it your self for the rest of the requirement. I added the rule no 1 for logging and 4 for ssh in the input chain. Logging will help you to find out, which rules you need to add to the chains. After the configuration, you can remove the logging rule. But if you are new to iptables, I suggest you to try to install APF or Arno's firewall. That will help you to configure firewall for you. http://www.rfxn.com/projects/advanced-policy-firewall/ http://rocky.eld.leidenuniv.nl/jooml...d=46&Itemid=77 Code:
# Generated by iptables-save v1.3.5 on Mon Jan 14 02:49:03 2013 http://wiki.centos.org/HowTos/Network/IPTables http://www.thegeekstuff.com/2011/01/...-fundamentals/ http://www.thegeekstuff.com/2011/03/...utbound-rules/ And also if you are playing with remote server, you can add the following rule in the crontab, so iptables will be restarted every 20 minutes. Code:
*/20 * * * * /etc/rc.d/init.d/iptables restart Code:
iptables-save >/tmp/iptables.txt Code:
iptables-restore < /tmp/iptables.txt |
Quote:
Quote:
Quote:
Quote:
Code:
# Firewall configuration written by system-config-securitylevel |
Quote:
So you believe that leaving port 22 open on a Server with internet connection is absolutely fine?? I really don't think so!! :tisk: Also have in mind that the OP is not a "Security Guru"! |
Quote:
|
Quote:
Kindly accept my apology, if anything wrong....Not arguing..... Just want to say my rule will work with out any issue. [Just now I tested that with out giving the state and rate limit] Code:
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset But I like your rule as the 4th rule rather that me. While writing the rule, I thought about only ssh not any other service... Code:
iptables -t filter -I INPUT 4 -m state --state NEW -m tcp -p tcp -m multiport --dports 20:22,80,110,143,993,995,443 -j ACCEPT |
Quote:
OTOH I still would not recommend it as a way to filter access because it allows access based on a single TCP flag and bypasses conntrack which you already use. Until you face new-not-SYN and other problems I'd suggest (simplified, re-ordered): Code:
*filter Code:
*filter |
Quote:
Cheers, Leo |
OK, this is starting to make sense to me. I actually find this easier to follow than the dumbed-down Plesk Firewall GUI.
(Thanks for all of your responses above!) One thing I'm having trouble with though is saving the new script so that it's used each time the server restarts (vital). When I type: Code:
# /sbin/service iptables save Code:
iptables: Saving firewall rules to /etc/sysconfig/iptables: /etc/init.d/iptables: line 268: restorecon: command not found Performing a: Code:
# locate iptables Code:
/bin/iptables-xml So what am I doing wrong?? Note: I don't currently have the iptables service running, as it will lock me out. Also, I am doing this all on a remote server via SSH (if that wasn't already obvious). So any misstep will lock me out and shut down my business for anyone buying my products (which would be very bad). I need to get this new rule-set saved ASAP, as currently, the next time the server restarts I (and everyone else) will be locked out. Any help would be much appreciated. |
It seems to me that the installation was not completed sucesfully.
restorecon is provided by policycoreutils package. You can try uninstalling and re-installing policycoreutils package and see if you get restorecon file under /sbin Try to run : yum install policycoreutils |
Thanks again for the responses!
Wow, really? This is a dedicated virtual server from a major web host (GoDaddy). Why would policycoreutils be missing? I just reprovisioned the server with the latest install of CentOS 6.3 too. running: Code:
# yum info I don't get it. Is this command not in some path it needs to be in? Or am I needing to be in a certain directory before issuing the command? Doing a: Code:
# locate restorecon So if I have to uninstall and reinstall that, will I need to reboot the server? (doing so will lock me out if the new script isn't saved) I just want to proceed carefully, and make sure I know what I'm doing before uninstalling the policycoreutils |
To be honest i don't know if you need to restart your server after installing policycoreutils package. Although i don't believe that you will need to restart your server.
I google you problem and every post i met, says that installing policycoreutils package, is the solution to your problem. So give it a try and let's hope that everything will work fine. Don't forget to inform us! |
All times are GMT -5. The time now is 05:42 PM. |