IP Tables - Why doesn't this work?


Recommended Posts

I am trying to get to grips with IPTables on CentOS 6.3 and having difficulty in understand why this doesn't work. Basically this should allow incoming only connections on Port 22 (SSH) and both incoming and outgoing on Ports 80 and 443.


-p INPUT DROP
-p OUTPUT DROP
-p FORWARD DROP

#allow all traffic on loopback adapter
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow incoming ssh connections only
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INOUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# port 80/443 - incoming
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

# port 80/443 - outgoing
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT

-A INPUT -j DROP
-A OUTPUT -j DROP
[/CODE]

Feel free to suggest alternatives but please explain things and not just post the solution.

Thanks

Link to comment
Share on other sites

"-A INOUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT"

What is INOUT?

Link to comment
Share on other sites

"-A INOUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT"

What is INOUT?

A spelling mistake :blush: ! Thanks Budman.

Link to comment
Share on other sites

happens - so that should fix your 22 inbound.

# port 80/443 - outgoing

Seems to be missing the 443 stuff.

Link to comment
Share on other sites

The problem I had was that I couldn't get out on port 80 from the server i.e. I couldn't browse the web from there using the rules above, so I didn't put the 443 stuff in till I got the 80 stuff working.

I have since been reading articles etc and now have a script that builds the iptables config and it appears to be working as expected, I will post the script later if anyone is interested.

Link to comment
Share on other sites

This topic is now closed to further replies.