iptables rules

[xeontcs]

Hi,

I have my VPS running with CentOS 7.

When I check the iptables, this is the output i get.

[root@tz4 ~]# iptables -nv -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 2976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 32 packets, 2648 bytes)
pkts bytes target prot opt in out source destination

As far as I can understand only open port is port 22 to outside. Also the all ports are open locally.

I'm able to access the website on this VPS via port 80 and 443. Could someone explain how can it be possible with these current iptable rules.

Thank you.

[avij]

"Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"

This is the default policy. If none of the rules in the INPUT chain match, the default policy will be used, in this case ACCEPT. You would need to change this to DROP or REJECT to accomplish your goal.

[jlehtone]

When I check the iptables, this is the output i get.

That is not the default ruleset in CentOS 7.

Who did set them up? You are all open.

[xeontcs]

Thank you!

I thought its only accept local host all ports.

[hunter86_bg]

Usually you can add a "DROP" rule on the bottom (with -A switch for append) and everything will be fine.

Edit: Do not forget to create an "at" job (in some time in advance) to restore your iptable's rules in case you fail to login.Once you manage to login after the firewall changes , you can remove the at job.