Answer the question
In order to leave comments, you need to log in
S
S
Sergey Savostin2011-09-09 19:12:47
Sergey Savostin, 2011-09-09 19:12:47
Help setting up iptables
Please do not kick or downvote - I honestly smoked half the Internet before asking a question.
There is a VPS - CentOS under OpenVZ.
There is a simple iptables:
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
and iptables-config:
IPTABLES_MODULES=""Does not work:
> modprobe ip_conntrack
FATAL: Module ip_conntrack not found.
> modprobe ip_conntrack_ftp
FATAL: Module ip_conntrack_ftp not found.
> iptables -t filter -A INPUT -j LOG --log-prefix "DROP"
iptables: Unknown error 18446744073709551615
> wget http://ya.ru
Resolving ya.ru... 93.158.134.3, 93.158.134.203, 87.250.251.3, ...
Connecting to ya.ru|93.158.134.3|:80... failed: Connection timed out.
I.e. seems to be the rule
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED,RELATED -j ACCEPTIn the technical support of the hoster, they already hate me fiercely, they advised me through the flags , but adding
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN -j ACCEPTWhat else does he need to allow related? :INPUT ACCEPT [0:0] -> everything works
4 answer(s)
@inkvizitor68sl
@smartlight
@smartlight
@savostin
V
Vlad Zhivotnev, 2011-09-10 @inkvizitor68sl
Inside OpenVZ you cannot do modprobe. Ask the host to enable the modules you need.
S
smartlight, 2011-09-09 @smartlight
do this:
view current rules: iptables -nL
# Keep state.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,22 -j ACCEPT
# Loop device.
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow PING from remote hosts.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
S
smartlight, 2011-09-09 @smartlight
show the output of iptables -nL by the
way, there is also tcpdump - it helps a lot in debugging settings
S
Sergey Savostin, 2011-09-11 @savostin
In general, it seems to me that it worked out at random:
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
If someone understands, please tell me what I did, what it can threaten and what else needs to be added ?
The complete iptables now looks like this:
> /sbin/iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Similar questions
N
L
S
syxoi2016-04-25 11:57:39
iptables close all ports except some on a specific network interface?
1Reply
R
rizzli2018-09-28 03:48:46
How to redirect outgoing requests of a specific application to a proxy?
2Reply
H
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question