Page 1 of 1
Iptables
Posted: 12 May 2007, 17:33
by limpo
Hi,
I am having some problem with flushing the rules that I set with iptables.
I can set rules that all work, but when i do /sbin/iptables -F or /sbin/iptables -F chain, i lose contact with the server. What am I doing wrong?
/limpo
Posted: 12 May 2007, 19:08
by bjorn
could be many things, but i'm guessing that you have a default DROP policy on your chains, hence making it cut the connection when you flush.
if you want better help you need to share your rules/setup with us.
/Bjorn
Posted: 13 May 2007, 06:43
by limpo
Hi,
this is my current testing iptables:
/sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 125 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
/sbin/iptables -P INPUT DROP
/Limpo
Posted: 13 May 2007, 08:07
by bjorn
there you have it, you do have a DROP policy on your INPUT chain.
you have some choices, two of them are:
1. make sure to change policy to ACCEPT before flushing (policy isn't affected by flush).
2. have an ACCEPT policy all of the time and do a DROP in your rule-set instead.
Posted: 13 May 2007, 12:28
by limpo
Hi,
Ok, I am not really sure what you mean. Could you please make some short demonstrations of your 2 choices.
But I guess on the first choice you mean:
firewall-flush.sh:
#!/bin/bash
/sbin/iptables -A INPUT ACCEPT
/sbin/iptables -F
/Limpo
Posted: 13 May 2007, 12:55
by bjorn
almost, use: "-P" for policy
/sbin/iptables -P INPUT ACCEPT
then you're good to go
Posted: 14 May 2007, 05:11
by limpo
Thx Bjorn,
Oh sorry I meant -P, yup your right now its working
what rules do you recommend having in iptables?
/Limpo
Posted: 14 May 2007, 06:44
by bjorn
recommendations all depend on how paranoid you are
a good rule is never to allow more than you really need. For example you could specify ip's/ranges that are allowed to access SSH, IMAP(S). No need to open up for the entire internet.
/Bjorn