Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Evgeny Starkov2020-01-03 17:54:37
Debian
Evgeny Starkov, 2020-01-03 17:54:37

Why is everything blocked after applying IPTABLES rules in Debian 10?

I tried a lot of rules and in the end everything leads to a complete blocking. Only reboot helps, not one port does not work after applying the rules. Based on logic, everything should work as it were, how to be?

Chain example:

#!/bin/bash

# Flush rules and delete custom chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Define chain to allow particular source addresses
iptables -N chain-incoming-ssh
# iptables -A chain-incoming-ssh -s 192.168.1.148 -j ACCEPT
# iptables -A chain-incoming-ssh -s 192.168.1.149 -j ACCEPT
iptables -A chain-incoming-ssh -j DROP

# Define chain to allow particular services
iptables -N chain-outgoing-services
iptables -A chain-outgoing-services -p tcp --dport 53  -j ACCEPT
iptables -A chain-outgoing-services -p udp --dport 53  -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 123 -j ACCEPT
iptables -A chain-outgoing-services -p udp --dport 123 -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 80  -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 443 -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 22  -j ACCEPT
iptables -A chain-outgoing-services -p icmp            -j ACCEPT
iptables -A chain-outgoing-services -j DROP

# Define chain to allow established connections
iptables -N chain-states
iptables -A chain-states -p tcp  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -p udp  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -j RETURN

# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept everything on loopback
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept incoming/outgoing packets for established connections
iptables -A INPUT  -j chain-states
iptables -A OUTPUT -j chain-states

# Accept incoming ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Accept incoming SSH
iptables -A INPUT -p tcp --dport 22 -j chain-incoming-ssh

# Accept outgoing 
iptables -A OUTPUT -j chain-outgoing-services

## Drop everything else
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
Vladimir, 2021-01-07
@Yumashka

The only port you are trying to open is 22/tcp

# Accept incoming SSH
iptables -A INPUT -p tcp --dport 22 -j chain-incoming-ssh

But there is nothing in the chain-incoming-ssh chain that would allow ssh, there is a DROP stub right there.
Option 1: open immediately and not build complex structures
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Option 2: in the chain-incoming-ssh branch
iptables -N chain-incoming-ssh
iptables -A chain-incoming-ssh -p tcp --dport 22 -j ACCEPT
iptables -A chain-incoming-ssh -j DROP

Similar questions
R
Ruslan2014-08-12 01:04:48
404 Not Found - how to replace with your page? 2Reply
V
Vano01rus2022-03-18 02:33:44
How to set up OpenSSL Debian? 3Reply
A
Anonymous2014-08-14 14:24:24
Postfix has a problem sending to any emails Relay access denied What's wrong with the configuration? 1Reply
A
anton_myaso2016-08-27 20:36:37
What can be a jamb when creating a 1C cluster? 1Reply
C
comper2016-08-29 12:18:11
How to migrate server from LXC container to KVM/Hyper-V/BeraMetall? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question