Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to set up iptables on my dedicated server, both through Webmin and manually. It doesn't seem to matter which way I choose, when I apply the configuration, all ports (tcp and udp) get blocked. The last time I tried it, they stayed open for a while and then closed. Even before they all get blocked, I cannot reach any of the sites on the virtual servers I have set up.
Any ideas what might cause this?
In case it has any bearing on it, I have a friend running his server as a slave server to mine.
IPtables look like this:
Generated by iptables-save v1.3.6 on Mon Oct 20 04:52:57 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Oct 20 04:52:57 2008
# Generated by iptables-save v1.3.6 on Mon Oct 20 04:52:57 2008
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Oct 20 04:52:57 2008
# Generated by iptables-save v1.3.6 on Mon Oct 20 04:52:57 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport xx -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# global TS
-A INPUT -p tcp -m tcp -i eth0 --dport 51234 -j ACCEPT
# global TS
-A INPUT -p tcp -m tcp -i eth0 --dport 14534 -j ACCEPT
# global TS
-A INPUT -p udp -m udp -i eth0 --dport 51234 -j ACCEPT
# global TS
-A INPUT -p udp -m udp -i eth0 --dport 14534 -j ACCEPT
# fsd1
-A INPUT -p tcp -m tcp -i eth0 --dport 6809 -j ACCEPT
# fsd2
-A INPUT -p tcp -m tcp -i eth0 --dport 3011 -j ACCEPT
# fsd3
-A INPUT -p tcp -m tcp -i eth0 --dport 3012 -j ACCEPT
# ts3
-A INPUT -p udp -m udp -i eth0 --dport 8767 -j ACCEPT
# bind
-A INPUT -p udp -m udp -s 206.104.21.214 --dport 53 -j ACCEPT
# bind2
-A INPUT -p udp -m udp --dport 953 -j ACCEPT
# bind2
-A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
# bind
-A INPUT -p tcp -m tcp -s 206.104.21.214 --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Oct 20 04:52:57 2008
Good catch, but that happened during copy/paste ops.
That's what I figured, just wanted to make for sure.
So when this is run, you blocked from everything on every port I take it? What do you get with the iptables -L output to view existing and running rules? If you flush with the -F, can you then connect? There's no other firewalls preventing connections?
You could also do the painstakingly process of running each one individually in order to see when it stops accepting connections to the server.
That's what I figured, just wanted to make for sure.
So when this is run, you blocked from everything on every port I take it? What do you get with the iptables -L output to view existing and running rules? If you flush with the -F, can you then connect? There's no other firewalls preventing connections?
You could also do the painstakingly process of running each one individually in order to see when it stops accepting connections to the server.
Before about an hour ago, I was blocked out completely. Jason, at Sector Link, reset my resolver so I can now get in with the IP addy, but none of the domain names resolve unless and until I set the filter chain policy to ACCEPT. As soon as I set it back to DROP, domains go away.
I am logging everything and looking at the logs, but I see nothing unusual in any of them either way the policy is set.
Solved it. If you'll notice, I was restricting udp port 53 to my own IP. Duh!
Heh, I overlooked it. I wasn't focusing on you getting to the server by domain with DNS. But yeah, restricting DNS to the actual servers IP address will block that type of access.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.