[colug-432] iptables

Steve VanSlyck s.vanslyck at postpro.net
Wed May 13 16:34:30 EDT 2015 

Yes, I am aware of the paranoid drop chain but I'm not yet knowledgeable enough to repair it properly. This particular policy will only be in place while the script is running, but I am aware that I still need to learn a lot more.

On the upside, Rick, if I continue down this path it won't be long before I change from being a "question king" to a question answerer.

I am very much aware that Linux must, essentially, be self taught. I'm grateful for this group.

On May 13, 2015 4:20:01 PM EDT, Rick Hornsby <richardjhornsby at gmail.com> wrote:
>
>> On May 13, 2015, at 15:02, Steve VanSlyck <s.vanslyck at postpro.net>
>wrote:
>> 
>> I cannot figure out why yum is being blocked. I understood it
>requried only ports 80 and 443. The below is from my script:
>...
>> read -p "Allow http traffic?"
>> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>>  
>> read -p "Allow https traffic?"
>> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>
>Looks like your INPUT and OUTPUT are backwards.
>
>You need to allow OUTBOUND traffic to ports 80 and/or 443 to access
>remote yum repositories.  But you are also using a paranoid DROP policy
>on your output chain.
>
>Something else I noticed -
>
>> iptables -A OUTPUT -o ppp0 -j ACCEPT
>
>
>It looks like you're only allowing all outbound traffic on the
>interface ppp0, which is not normally what I'd expect to see unless
>you're using some kind of dialup or VPN *outbound* to provide the host
>connectivity.  Usually if an interface is being specified, I'd expect
>to see eth0, or in the case of CentOS 7 something along the lines of
>enp0s3.  Either changing this, or fixing the two rules that you
>highlighted will probably do the trick.
>
>
>one other note - at least for testing purposes you might want to use
>REJECT instead of DROP.  When you use DROP the firewall does exactly
>what the word implies - it silently drops the packets to the floor and
>the application has no idea anything is wrong.  It is forced to time
>out waiting for a response that will never come.  With REJECT iptables
>sends an ICMP response immediately. That should help speed up your
>development and troubleshooting greatly.
>
>http://ipset.netfilter.org/iptables.man.html
>
>
>> 
>> read -p "Flush all current rules?"
>> iptables -F
>>  
>> read -p "Accept connections to the loopback interface (localhost)?"
>> iptables -A INPUT -i lo -j ACCEPT
>>  
>> read -p "Accept connections from the loopback interface (localhost)?"
>> iptables -A OUTPUT -o lo -j ACCEPT
>>  
>> read -p "Allow outgoing connections?"
>> iptables -A OUTPUT -o ppp0 -j ACCEPT
>>  
>> read -p "Drop all pings?"
>> iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
>>  
>> read -p "Accept requested inbound traffic?"
>> iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j
>ACCEPT
>>  
>> read -p "Accept new and established ssh from specified IP?"
>> iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state
>--state NEW,ESTABLISHED -j ACCEPT
>>  
>> read -p "Allow established ssh to specified IP?"
>> iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state
>--state ESTABLISHED -j ACCEPT
>>  
>> read -p "Drop all other ssh attempts?"
>> iptables -A INPUT -p tcp --dport ssh -j DROP
>>  
>> read -p "Allow http traffic?"
>> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>>  
>> read -p "Allow https traffic?"
>> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>>  
>> read -p "Set policy: Drop forwarding connections?"
>> iptables -P FORWARD DROP
>>  
>> read -p "Set policy: Drop other incoming connections?"
>> iptables -P INPUT DROP
>>  
>> read -p "Set policy: Drop outgoing connections?"
>> iptables -P OUTPUT DROP
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>colug-432 mailing list
>colug-432 at colug.net
>http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150513/48115bd2/attachment.html

More information about the colug-432 mailing list