Iptables

limpo · Post by **limpo** » 12 May 2007, 17:33

Hi,

I am having some problem with flushing the rules that I set with iptables.

I can set rules that all work, but when i do /sbin/iptables -F or /sbin/iptables -F chain, i lose contact with the server. What am I doing wrong?

/limpo

bjorn · Post by **bjorn** » 12 May 2007, 19:08

could be many things, but i'm guessing that you have a default DROP policy on your chains, hence making it cut the connection when you flush.

if you want better help you need to share your rules/setup with us.

/Bjorn

limpo · Post by **limpo** » 13 May 2007, 06:43

Hi,

this is my current testing iptables:

/sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 125 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
/sbin/iptables -P INPUT DROP

/Limpo

bjorn · Post by **bjorn** » 13 May 2007, 08:07

there you have it, you do have a DROP policy on your INPUT chain.

you have some choices, two of them are:

1. make sure to change policy to ACCEPT before flushing (policy isn't affected by flush).
2. have an ACCEPT policy all of the time and do a DROP in your rule-set instead.

limpo · Post by **limpo** » 13 May 2007, 12:28

Hi,

Ok, I am not really sure what you mean. Could you please make some short demonstrations of your 2 choices.

But I guess on the first choice you mean:

firewall-flush.sh:
#!/bin/bash
/sbin/iptables -A INPUT ACCEPT
/sbin/iptables -F

/Limpo

bjorn · Post by **bjorn** » 13 May 2007, 12:55

almost, use: "-P" for policy

/sbin/iptables -P INPUT ACCEPT

then you're good to go

limpo · Post by **limpo** » 14 May 2007, 05:11

Thx Bjorn,

Oh sorry I meant -P, yup your right now its working

what rules do you recommend having in iptables?

/Limpo

bjorn · Post by **bjorn** » 14 May 2007, 06:44

recommendations all depend on how paranoid you are

a good rule is never to allow more than you really need. For example you could specify ip's/ranges that are allowed to access SSH, IMAP(S). No need to open up for the entire internet.

/Bjorn