IPTables outbound problem

Support for security such as Firewalls and securing linux
Post Reply
pewa12
Posts: 3
Joined: 2017/10/18 11:07:30

IPTables outbound problem

Post by pewa12 » 2017/10/18 11:14:05

Hi,
I do not get this and humbly ask for help.

I have an application that sends reports to the server on a port range 25025-25050, but my server reset the communication before it starts.

# Generated by iptables-save v1.4.7 on Wed Oct 18 11:03:10 2017
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:PETER
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow ssh on eth1" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow ssh on eth0" -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j HAWKEYE
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j PETER
-A PETER -p tcp -m state --state NEW -m tcp --dport 25025:25050 -m comment --comment "Report ports" -j ACCEPT
COMMIT
# Completed on Wed Oct 18 11:03:10 2017

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPTables outbound problem

Post by TrevorH » 2017/10/18 11:32:50

Whatever the problem is, it's unlikely to be your iptables. You have a default policy of ACCEPT on the OUTPUT chain and your only rule there jumps to the PETER chain which contains only one rule that allows outbound connections to ports 25025-25050 on the remote server. If it matches that rule then the connection will be allowed and if it doesn't match then it'll return from "PETER" to OUTPUT and will then take the default "ACCEPT" as there are no more rules. So whatever happens, the connection is allowed from your side.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

pewa12
Posts: 3
Joined: 2017/10/18 11:07:30

Re: IPTables outbound problem

Post by pewa12 » 2017/10/18 11:37:09

Odd but when I run without iptables it works.
And if I do a tcpdump on eth0 I see that it is my machine that send the reset

pewa12
Posts: 3
Joined: 2017/10/18 11:07:30

Re: IPTables outbound problem

Post by pewa12 » 2017/10/18 13:39:44

How should I modifying the rule for ports 25025-25050 to allow persistent connections as well?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPTables outbound problem

Post by TrevorH » 2017/10/18 14:06:29

What are you seeing in tcpdump?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply