Where is my mistake in iptables ?

Support for security such as Firewalls and securing linux
Post Reply
rozeto
Posts: 4
Joined: 2015/12/29 19:48:27

Where is my mistake in iptables ?

Post by rozeto » 2016/02/02 13:34:36

Hello, guys !
I'm using iptables for my security firewall, but the interesting part is that when i installed webmin on default port 10000, i was able to access the webmin outside, despite my firewall configuration which is configured to DROP by default, and only a few ports are allowed.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:965
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:8009

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: Where is my mistake in iptables ?

Post by giulix63 » 2016/02/02 14:27:15

rozeto wrote: ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
This looks like a wide open firewall to me...
[!] --state state
Where state is a comma separated list of the connection states to match. Possible states are
INVALID meaning that the packet could not be identified for some reason which includes running out
of memory and ICMP errors which don't correspond to any known connection, ESTABLISHED meaning that
the packet is associated with a connection which has seen packets in both directions, NEW meaning
that the packet has started a new connection, or otherwise associated with a connection which has
not seen packets in both directions
, and RELATED meaning that the packet is starting a new
connection, but is associated with an existing connection, such as an FTP data transfer, or an
ICMP error. UNTRACKED meaning that the packet is not tracked at all, which happens if you use the
NOTRACK target in raw table.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

User avatar
TrevorH
Forum Moderator
Posts: 26572
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Where is my mistake in iptables ?

Post by TrevorH » 2016/02/02 18:26:32

Yes, remove NEW from that line.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”