Results 1 to 6 of 6
  1. #1
    Join Date
    Nov 2013
    Posts
    182

    Angry iptables nightmare

    So I'm securing IP tables:
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    Once I get to INPUT drop, SSH disconnects, the box basically goes offline and there's no way to bring it back remotely.

    Why is this happening? Guides I have been reading say this shouldn't happen.

  2. #2
    Join Date
    May 2009
    Location
    Markham, Canada
    Posts
    458
    Before you do
    Code:
    iptables -P INPUT DROP
    Make sure you allow your own IP as the above basically means "drop everything by default". Example:

    iptables -I INPUT -p tcp --destination-port 22 -j ACCEPT
    iptables -P INPUT DROP
    Dan
    Check out our premium self-managed SSD VPS

  3. #3
    Join Date
    Nov 2013
    Posts
    182
    Quote Originally Posted by dcdan View Post
    Before you do
    Code:
    iptables -P INPUT DROP
    Make sure you allow your own IP as the above basically means "drop everything by default". Example:

    iptables -I INPUT -p tcp --destination-port 22 -j ACCEPT
    iptables -P INPUT DROP
    Oh I see, I'll try that when my host reboots the box into single user mode. Thanks

    This is the second time this happened, wanted to:

  4. #4
    Join Date
    May 2009
    Location
    Markham, Canada
    Posts
    458
    Correction: what I posted will "whitelist" all connections to port 22, not just your ip
    Dan
    Check out our premium self-managed SSD VPS

  5. #5
    Join Date
    May 2013
    Location
    India
    Posts
    747
    Quote Originally Posted by A Goat View Post
    Oh I see, I'll try that when my host reboots the box into single user mode. Thanks

    This is the second time this happened, wanted to:
    Single user mode is not needed if you didn't save your rule ( guess you couldn't save it as it would lock you immediately after you put default DROP policy without adding proper whitelist ); the lockout can be fixed just by a reboot and it will overwrite your iptables changes. Initially do a global ( or for necessary IPs ) whitelist for specific ports you want to open; then only add the default chain policy to DROP.

  6. #6
    Join Date
    Feb 2011
    Posts
    129
    As an alternative you can use CSF --> http://configserver.com/cp/csf.html

    It's (among other things) an excellent iptables GUI

Similar Threads

  1. Replies: 5
    Last Post: 03-28-2012, 08:33 AM
  2. Replies: 8
    Last Post: 11-29-2010, 12:02 AM
  3. after flush+zero iptables, will a new iptables ban work?
    By Tertsi in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-06-2008, 12:04 AM
  4. APF & iptables... hm.. iptables is not starting..
    By LowAsYou in forum Hosting Security and Technology
    Replies: 10
    Last Post: 11-10-2006, 11:18 PM
  5. How to find IPtables (I can't restart iptables without a reboot)
    By DSD in forum Hosting Security and Technology
    Replies: 13
    Last Post: 12-28-2005, 03:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •