4 replies to this topic

[johnporter29]

I am trying to get to grips with IPTables on CentOS 6.3 and having difficulty in understand why this doesn't work. Basically this should allow incoming only connections on Port 22 (SSH) and both incoming and outgoing on Ports 80 and 443.

-p INPUT DROP
-p OUTPUT DROP
-p FORWARD DROP

#allow all traffic on loopback adapter
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow incoming ssh connections only
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INOUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# port 80/443 - incoming
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

# port 80/443 - outgoing
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT

-A INPUT -j DROP
-A OUTPUT -j DROP

Feel free to suggest alternatives but please explain things and not just post the solution.

Thanks

[+BudMan]

"-A INOUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT"

What is INOUT?

[johnporter29]

BudMan, on 30 July 2012 - 11:41, said:

"-A INOUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT"

What is INOUT?

A spelling mistake ! Thanks Budman.

[+BudMan]

happens - so that should fix your 22 inbound.

# port 80/443 - outgoing

Seems to be missing the 443 stuff.

[johnporter29]

The problem I had was that I couldn't get out on port 80 from the server i.e. I couldn't browse the web from there using the rules above, so I didn't put the 443 stuff in till I got the 80 stuff working.

I have since been reading articles etc and now have a script that builds the iptables config and it appears to be working as expected, I will post the script later if anyone is interested.