Results 1 to 11 of 11
  1. #1

    Firewall - Iptables issue

    I tried to configure a basic firewall on my VPS using Iptables, and I need your help.
    I followed different tutorials concerning iptables and basic firewall rules, but whatever I put, it blocks entire server.
    For example, if I put this:
    iptables -P FORWARD DROP
    iptables -P INPUT DROP
    iptables -A INPUT --protocol tcp --destination-port 22 -j ACCEPT
    iptables -A INPUT --protocol tcp --destination-port 80 -j ACCEPT
    only the first two rules work, the rest is ignored. Ofcourse this is only an example, I tried many different variations and blocking everything is the only result.
    I started investigating the problem, and I found, that "lsmod" gives nothing, "modprobe modulename" gives nothing more than error and /lib/modules/ directory is completely empty. So if there are no modules, this is probably why the rules I apply don't work isn't it?
    I have Iptables 1.3.5 and CentOS 5.3 (updated with yum to 5.4).
    What should I do? Why /lib/modules/ directory is empty? Is it possible to somehow download these modules? I heard something about kernel and recompiling it, but I'm just a beginner and it sounds a bit crazy for now.

    Thanks for your attention!

  2. #2
    If the required iptables modules are missing from the kernel, the rules won't work and you will DROP all connections to your server blocking yourself out. You need to recompile kernel with the required modules in order for the rules to work. If you are not sure on how to compile a kernel, you should get help from a System Administrator.

    However, do you receive any error message on executing the iptable rules manually (rules other than the DROP once)? If you don't, the rules should work unless there is something wrong in them.

    Could you paste the exact rules you are using and the error message if any?
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  3. #3
    I will be able to paste it later (3,4 hours) but now I can add that I put the rules into rc.firewall file and execute it manually /etc/rc.d/rc.firewall .Firstly I tried to enter the rules directly in /sysconfig/iptables but after restarting the service my changes were lost. Then I found at least three tutorials with sample rc.firewall file so I didn't invest my time in the first option and just focused on creating and configuring this file.
    Answering your question-there were no errors. Thanks.

  4. #4
    I will be able to paste it later (3,4 hours) but now I can add that I put the rules into rc.firewall file and execute it manually /etc/rc.d/rc.firewall .Firstly I tried to enter the rules directly in /sysconfig/iptables but after restarting the service my changes were lost. Then I found at least three tutorials with sample rc.firewall file so I didn't invest my time in the first option and just focused on creating and configuring this file.
    Answering your question-there were no errors. Thanks.

  5. #5
    Join Date
    Nov 2009
    Location
    Nasik,India
    Posts
    252
    hi,

    If u want to add any port in iptables then u can do this

    iptables -A INPUT -p tcp -s 0/0 --sport 1024:8080 -d 000.000.000.000

  6. #6
    Quote Originally Posted by zeber View Post
    I will be able to paste it later (3,4 hours) but now I can add that I put the rules into rc.firewall file and execute it manually /etc/rc.d/rc.firewall .Firstly I tried to enter the rules directly in /sysconfig/iptables but after restarting the service my changes were lost. Then I found at least three tutorials with sample rc.firewall file so I didn't invest my time in the first option and just focused on creating and configuring this file.
    Answering your question-there were no errors. Thanks.
    Yes, that is the right method to implement new iptable rules. Put them in a file and execute the file. If you directly add the rules in /sysconfig/iptables, you need to save them before restarting iptables, like

    service iptables save
    service iptables restart

    Anyways, nice to hear that everything is sorted.
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  7. #7
    I'm still trying to sort this out..
    What I want to do now, is to block incoming packets and open just a few main ports. As I said, I've tried many different combinations and below is the last one:

    #!/bin/bash
    iptables=/sbin/iptables
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 3306 -j ACCEPT

  8. #8
    Hello,

    If you want to open or block any Port you can try this command as :

    iptables -A INUPT -p tcp --dport <port no> -j ACCEPT
    iptables -A INUPT -p udp --dport <port no> -j ACCEPT
    iptables -A INUPT -p tcp --dport <port no> -j DROP
    iptables -A INUPT -p udp --dport <port no> -j DROP
    service iptables save
    service iptables restart

    try this command....

  9. #9
    Join Date
    Mar 2009
    Location
    deep blue yonder
    Posts
    176
    Here's an idea.

    For troubleshooting purposes, leave your policies set to accept and add these as your last rules:
    Code:
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG 
    iptables -A OUTPUT -j LOG
    
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j DROP
    Then go and look at your /var/log/messages file to see what was logged and dropped. Then review your rules again.

    Or if you're happy, skip the log lines and just let the default DROP's at the end handle everything you haven't specifically ACCEPTed in a prior rule.
    424 bits were harmed in the making of this signature.

  10. #10
    Unfortunately nothing from the above helped.
    But I found this: vpsinfo.nixhost.net/firewall.vps and it works great! I'm going to configure the script for my services.
    Anyway, thanks a lot for your help!

  11. #11
    Join Date
    Oct 2007
    Location
    India
    Posts
    429
    First, ask your VPS host to load in all the firewall modules.

    If not, nothing will work.

    Once they have loaded all the required modules, you can start configuring iptables to your liking.

    Open just the needed ports.

    If you could say exactly what ports you want opened, I could help you.

    Also make sure that you set the interface correctly. Depending on the VPS, it may or may not be eth0. It can be other interfaces also.

    Do a ifconfig -a and note down your interface names.

    If you want me to help, I will be happy to set it up for you.

    Make sure you ask your host to load in these modules:

    ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp
    "For I know the plans I have for you" declares our Lord Jesus Christ, "they are plans to prosper you, to give you a hope and a future and not to destroy you." - Jeremiah 29:11

Similar Threads

  1. iptables -F a KISS firewall
    By BoydX in forum Hosting Security and Technology
    Replies: 6
    Last Post: 05-20-2005, 03:00 AM
  2. iptables firewall
    By brownrl in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-06-2004, 09:32 PM
  3. Hard Firewall and IPtables
    By RacingCatche in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-06-2004, 01:08 PM
  4. IPTables Firewall How-To
    By modoc in forum Hosting Security and Technology
    Replies: 13
    Last Post: 01-21-2003, 08:04 PM
  5. iptables vs ipchain firewall
    By Ckeren in forum Hosting Security and Technology
    Replies: 1
    Last Post: 09-18-2001, 12:01 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •