I want to allow people to connect to ports 22, 80, and 443. Also I want to be able to do DNS lookups from my server.
Here's what I'm trying:
iptables -A INPUT -m tcp -p tcp --dport 1 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 1 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp -j REJECT
iptables -A INPUT -m udp -p udp -j REJECT
iptables -A OUTPUT -m tcp -p tcp -j ACCEPT
iptables -A OUTPUT -m udp -p udp -j ACCEPT
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:tcpmux
ACCEPT udp -- anywhere anywhere udp dpt:1
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
REJECT tcp -- anywhere anywhere tcp reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
ACCEPT udp -- anywhere anywhere udp
If I omit these lines:
iptables -A INPUT -m tcp -p tcp -j REJECT
iptables -A INPUT -m udp -p udp -j REJECT
I can ping out, but then I'm not closing all ports by default, which is the goal. Why is an INPUT rule affecting my ability to do hostname lookups (ex "ping google.com" from my server?)