[colug-432] iptables
Rick Hornsby
richardjhornsby at gmail.com
Wed May 13 16:20:01 EDT 2015
> On May 13, 2015, at 15:02, Steve VanSlyck <s.vanslyck at postpro.net> wrote:
>
> I cannot figure out why yum is being blocked. I understood it requried only ports 80 and 443. The below is from my script:
...
> read -p "Allow http traffic?"
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> read -p "Allow https traffic?"
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Looks like your INPUT and OUTPUT are backwards.
You need to allow OUTBOUND traffic to ports 80 and/or 443 to access remote yum repositories. But you are also using a paranoid DROP policy on your output chain.
Something else I noticed -
> iptables -A OUTPUT -o ppp0 -j ACCEPT
It looks like you're only allowing all outbound traffic on the interface ppp0, which is not normally what I'd expect to see unless you're using some kind of dialup or VPN *outbound* to provide the host connectivity. Usually if an interface is being specified, I'd expect to see eth0, or in the case of CentOS 7 something along the lines of enp0s3. Either changing this, or fixing the two rules that you highlighted will probably do the trick.
one other note - at least for testing purposes you might want to use REJECT instead of DROP. When you use DROP the firewall does exactly what the word implies - it silently drops the packets to the floor and the application has no idea anything is wrong. It is forced to time out waiting for a response that will never come. With REJECT iptables sends an ICMP response immediately. That should help speed up your development and troubleshooting greatly.
http://ipset.netfilter.org/iptables.man.html
>
> read -p "Flush all current rules?"
> iptables -F
>
> read -p "Accept connections to the loopback interface (localhost)?"
> iptables -A INPUT -i lo -j ACCEPT
>
> read -p "Accept connections from the loopback interface (localhost)?"
> iptables -A OUTPUT -o lo -j ACCEPT
>
> read -p "Allow outgoing connections?"
> iptables -A OUTPUT -o ppp0 -j ACCEPT
>
> read -p "Drop all pings?"
> iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
>
> read -p "Accept requested inbound traffic?"
> iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> read -p "Accept new and established ssh from specified IP?"
> iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
>
> read -p "Allow established ssh to specified IP?"
> iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state ESTABLISHED -j ACCEPT
>
> read -p "Drop all other ssh attempts?"
> iptables -A INPUT -p tcp --dport ssh -j DROP
>
> read -p "Allow http traffic?"
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> read -p "Allow https traffic?"
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>
> read -p "Set policy: Drop forwarding connections?"
> iptables -P FORWARD DROP
>
> read -p "Set policy: Drop other incoming connections?"
> iptables -P INPUT DROP
>
> read -p "Set policy: Drop outgoing connections?"
> iptables -P OUTPUT DROP
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150513/7cf32133/attachment-0001.html
More information about the colug-432
mailing list