May of messed up iptables rules

General support questions
Post Reply
ben_tvpp
Posts: 29
Joined: 2018/12/04 13:28:51

May of messed up iptables rules

Post by ben_tvpp » 2018/12/06 18:20:54

First time I set up rules and used https://www.digitalocean.com/community/ ... n-centos-6 as a template.

I can still ssh in - fhew - but yum hangs on 'Loading mirror speeds from cached hostfile' so I figure I may of got them wrong (stopping iptables sorts the problem so I defiantly got it wrong). This is the first time i've tried to setup a firewall.

The rules are:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
In the router there is a forward for post 80 (which I believe yum used). The port on the server is 80 but the external port forward is 8080 (which is why this is added) although by gut tells me this is not needed.

Any idea what I have done wrong (and how to fix it).

Ben

User avatar
TrevorH
Forum Moderator
Posts: 25617
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: May of messed up iptables rules

Post by TrevorH » 2018/12/06 22:13:39

Post the output from the iptables-save command run as root.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

ben_tvpp
Posts: 29
Joined: 2018/12/04 13:28:51

Re: May of messed up iptables rules

Post by ben_tvpp » 2018/12/17 15:49:13

Thanks for replying, here it is.
# Generated by iptables-save v1.4.7 on Mon Dec 17 15:47:51 2018
*filter
:INPUT DROP [95415:23860237]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3171:330737]
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Mon Dec 17 15:47:51 2018

User avatar
TrevorH
Forum Moderator
Posts: 25617
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: May of messed up iptables rules

Post by TrevorH » 2018/12/17 17:22:59

iptables -I INPUT 4 -m state --state RELATED,ESTABLISHED -j ACCEPT

All your other ACCEPT rules should also have -m state --state NEW on them
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

ben_tvpp
Posts: 29
Joined: 2018/12/04 13:28:51

Re: May of messed up iptables rules

Post by ben_tvpp » 2019/02/13 18:03:43

Thanks, what does

iptables -I INPUT 4 -m state --state RELATED,ESTABLISHED -j ACCEPT

do?

User avatar
TrevorH
Forum Moderator
Posts: 25617
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: May of messed up iptables rules

Post by TrevorH » 2019/02/13 19:44:38

It inserts that rule at line 4 instead of -A appending it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Whoever
Posts: 1062
Joined: 2013/09/06 03:12:10

Re: May of messed up iptables rules

Post by Whoever » 2019/02/14 05:25:27

ben_tvpp wrote:
2019/02/13 18:03:43
Thanks, what does

iptables -I INPUT 4 -m state --state RELATED,ESTABLISHED -j ACCEPT

do?
It allows all incoming packets that are associated with existing (usually outgoing) connections. You were blocking the replies to the query of the mirrorlists.

Post Reply