Hi,
I have my VPS running with CentOS 7.
When I check the iptables, this is the output i get.
[root@tz4 ~]# iptables -nv -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 2976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 32 packets, 2648 bytes)
pkts bytes target prot opt in out source destination
As far as I can understand only open port is port 22 to outside. Also the all ports are open locally.
I'm able to access the website on this VPS via port 80 and 443. Could someone explain how can it be possible with these current iptable rules.
Thank you.
iptables rules
Re: iptables rules
"Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"
This is the default policy. If none of the rules in the INPUT chain match, the default policy will be used, in this case ACCEPT. You would need to change this to DROP or REJECT to accomplish your goal.
This is the default policy. If none of the rules in the INPUT chain match, the default policy will be used, in this case ACCEPT. You would need to change this to DROP or REJECT to accomplish your goal.
Re: iptables rules
That is not the default ruleset in CentOS 7.xeontcs wrote:When I check the iptables, this is the output i get.
Who did set them up? You are all open.
Re: iptables rules
Thank you!
I thought its only accept local host all ports.
I thought its only accept local host all ports.
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: iptables rules
Usually you can add a "DROP" rule on the bottom (with -A switch for append) and everything will be fine.
Edit: Do not forget to create an "at" job (in some time in advance) to restore your iptable's rules in case you fail to login.Once you manage to login after the firewall changes , you can remove the at job.
Edit: Do not forget to create an "at" job (in some time in advance) to restore your iptable's rules in case you fail to login.Once you manage to login after the firewall changes , you can remove the at job.