0

I want to allow people to connect to ports 22, 80, and 443. Also I want to be able to do DNS lookups from my server.

Here's what I'm trying:

iptables -A INPUT -m tcp -p tcp --dport 1 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 1 -j ACCEPT

iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 53 -j ACCEPT

iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 80 -j ACCEPT

iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 443 -j ACCEPT

iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 22 -j ACCEPT

iptables -A INPUT -m tcp -p tcp -j REJECT
iptables -A INPUT -m udp -p udp -j REJECT

iptables -A OUTPUT -m tcp -p tcp -j ACCEPT
iptables -A OUTPUT -m udp -p udp -j ACCEPT

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tcpmux
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
REJECT     tcp  --  anywhere             anywhere             tcp reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp
ACCEPT     udp  --  anywhere             anywhere             udp

If I omit these lines:

iptables -A INPUT -m tcp -p tcp -j REJECT
iptables -A INPUT -m udp -p udp -j REJECT

I can ping out, but then I'm not closing all ports by default, which is the goal. Why is an INPUT rule affecting my ability to do hostname lookups (ex "ping google.com" from my server?)

2 Answers 2

2

You need to allow related traffic back in again (i.e: the replies to your outgoing DNS traffic). Also, you may want to use a default drop rather than a specific deny-all rule to save some space.

iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -P INPUT DROP

Your OUTPUT chain rules aren't needed as the chain has a default ACCEPT on it currently, and the port 53 rules aren't needed because you aren't hosting a DNS server, merely using one, so the traffic leaves via the OUTPUT chain, not the INPUT one.

1
  • Figured as much with not needing 53, was just at a loss. Thanks, this setup is working, bonus points for the 1-line syntax sugar
    – JoshRibs
    Commented Aug 7, 2014 at 22:53
1

As explained here, you should allow incoming traffic for ESTABLISHED/RELATED connection, so simply add the following rule at the beginning:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .