Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
VolkZubamiSchelk2016-03-04 13:55:07
linux
VolkZubamiSchelk, 2016-03-04 13:55:07

INPUT -j DROP blocks outgoing traffic. What to do?

Through the firewall, ISPManager 5 lite created rules for incoming traffic: allow port 80 for everyone, prohibit the rest, except for 2 ip addresses. And lost all outgoing traffic from the server.
ifconfig output:

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4302058 (4.1 MiB)  TX bytes:4302058 (4.1 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:1521500 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1611473 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1226684983 (1.1 GiB)  TX bytes:1397221869 (1.3 GiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:1**.2*.7*.2**  P-t-P:1**.2*.7*.2**  Bcast:1**.2*.7*.2**  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

etc/sysconfig/iptables:
# Generated by iptables-save v1.4.7 on Thu Mar  3 14:16:17 2016
*mangle
:PREROUTING ACCEPT [1610:216627]
:INPUT ACCEPT [1610:216627]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2034:2105792]
:POSTROUTING ACCEPT [2034:2105792]
COMMIT
# Completed on Thu Mar  3 14:16:17 2016
# Generated by iptables-save v1.4.7 on Thu Mar  3 14:16:17 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:52]
:ispmgr_allow_ip - [0:0]
:ispmgr_allow_sub - [0:0]
:ispmgr_deny_ip - [0:0]
:ispmgr_deny_sub - [0:0]
:ispmgr_limit_req - [0:0]
-A INPUT -j ispmgr_deny_ip 
-A INPUT -j ispmgr_allow_ip 
-A INPUT -j ispmgr_allow_sub 
-A INPUT -j ispmgr_deny_sub 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 35000:35999 -j ACCEPT 
-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 20:22,25,80,443,110,53,3306,5432,1500 -j ACCEPT 
-A INPUT -p udp -m conntrack --ctstate NEW -m multiport --dports 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1500 -j ACCEPT 
-A ispmgr_allow_ip -s 8*.2*.1**.1**/32 -j ACCEPT 
-A ispmgr_allow_ip -s 1**.2*.7*.2**/32 -j ACCEPT 
-A ispmgr_allow_ip -s 127.0.0.1/32 -j ACCEPT   
-A ispmgr_allow_ip -s 9*.7*.1**.1**/32 -j ACCEPT 
-A ispmgr_allow_sub -p tcp -m tcp --dport 80 -j ACCEPT 
-A ispmgr_deny_sub -j DROP
COMMIT
#Completed on Thu Mar  3 14:16:17 2016

I added OUTPUT -o 0.0.0.0/0 -j ACCEPT via SSH to iptables above all the rules - it did not help.
The most interesting thing is that if you comment out the last line before commit (DROP), then outgoing traffic works, but this is the IPNUT chain, how can it block outgoing traffic?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
M
MamOn, 2016-03-04
@VolkZubamiSchelk

You drop all incoming packets, that is, packets leave your system, but the responses from remote hosts drop. To do this, the rule that allows packets from established connections, -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT, must be higher than the rule -A INPUT -j ispmgr_deny_sub, in the chain of which all packets are dropped.

Report
A
Anton Nagaets, 2016-03-04
@gr1mm3r

-A ispmgr_deny_sub -j DROP

Doesn't it bother you that nothing in this chain is defined what to drop? Or they didn't show us.

Report
M
mureevms, 2016-03-04
@mureevms

1. If you know what a console is, then write the rules and apply them with system tools, and not through the ISPManager layer.
2. Are you sure /etc/sysconfig/iptables is overwritten by ISPManager? That is, most likely, there are more rules in the system than in the file. Give a conclusion iptables -L -n. I think that ISPManager simply generates rules on the fly without saving them.

Similar questions
O
OKNOZA2015-06-21 23:31:05
Can I not use NodeJS templating engine? 7Reply
M
medianoche2015-07-04 03:34:27
How to record tutoring? 8Reply
S
Stanislav Oskolkov2016-08-28 17:59:46
OpenWRT - Domain filtering / WhiteList with a web interface. Whether there is a? 2Reply
D
Dmitry2022-01-21 13:00:57
Does the number of CPUs affect the load readings in the top? 2Reply
D
demsi2016-06-23 16:44:57
Is it possible to buy a licensed distribution of OS X Server (without hardware)? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question