[colug-432] iptables

Steve VanSlyck s.vanslyck at postpro.net
Wed May 13 16:50:22 EDT 2015


So . on the first issue . I need to add these two out rules?

*read -p "Allow outbound http traffic?" * *iptables -A OUTPUT -p tcp -m
tcp --dport 80 -j ACCEPT# Allow *out*bound http traffic *

*read -p "Allow *out*bound https traffic?" * *iptables -A OUTPUT -p tcp
-m tcp --dport 443 -j ACCEPT# Allow *out*bound https traffic *

*read -p "Allow inbound http traffic?" * *iptables -A INPUT -p tcp -m
tcp --dport 80 -j ACCEPT# Allow inbound http traffic *

*read -p "Allow inbound https traffic?" * *iptables -A INPUT -p tcp -m
tcp --dport 443 -j ACCEPT# Allow inbound https traffic *



On Wed, May 13, 2015, at 16:20, Rick Hornsby wrote:
>
>> On May 13, 2015, at 15:02, Steve VanSlyck
>> <s.vanslyck at postpro.net> wrote:
>>
>> I cannot figure out why yum is being blocked. I understood it
>> requried only ports 80 and 443. The below is from my script:
> ...
>> *read -p "Allow http traffic?"* *iptables -A INPUT -p tcp -m tcp
>> --dport 80 -j ACCEPT*
>>
>> *read -p "Allow https traffic?"* *iptables -A INPUT -p tcp -m tcp
>> --dport 443 -j ACCEPT*
>
> Looks like your INPUT and OUTPUT are backwards.
>
> You need to allow OUTBOUND traffic to ports 80 and/or 443 to access
> remote yum repositories. But you are also using a paranoid DROP policy
> on your output chain.
>
> Something else I noticed -
>
>> *iptables -A OUTPUT -o ppp0 -j ACCEPT*
>
> It looks like you're only allowing all outbound traffic on the
> interface ppp0, which is not normally what I'd expect to see unless
> you're using some kind of dialup or VPN *outbound* to provide the host
> connectivity. Usually if an interface is being specified, I'd expect
> to see eth0, or in the case of CentOS 7 something along the lines of
> enp0s3. Either changing this, or fixing the two rules that you
> highlighted will probably do the trick.
>
>
> one other note - at least for testing purposes you might want to use
> REJECT instead of DROP. When you use DROP the firewall does exactly
> what the word implies - it silently drops the packets to the floor and
> the application has no idea anything is wrong. It is forced to time
> out waiting for a response that will never come. With REJECT iptables
> sends an ICMP response immediately. That should help speed up your
> development and troubleshooting greatly.
>
> http://ipset.netfilter.org/iptables.man.html
>
>
>>
>> *read -p "Flush all current rules?"* *iptables -F*
>>
>> *read -p "Accept connections to the loopback interface (localhost)?"*
>> *iptables -A INPUT -i lo -j ACCEPT*
>>
>> *read -p "Accept connections from the loopback interface
>> (localhost)?"* *iptables -A OUTPUT -o lo -j ACCEPT*
>>
>> *read -p "Allow outgoing connections?"* *iptables -A OUTPUT -o ppp0
>> -j ACCEPT*
>>
>> *read -p "Drop all pings?"* *iptables -A INPUT -p icmp --icmp-type
>> echo-request -j DROP*
>>
>> *read -p "Accept requested inbound traffic?"* *iptables -A INPUT -i
>> ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT*
>>
>> *read -p "Accept new and established ssh from specified IP?"*
>> *iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state
>> --state NEW,ESTABLISHED -j ACCEPT*
>>
>> *read -p "Allow established ssh to specified IP?"* *iptables -A
>> OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state
>> ESTABLISHED -j ACCEPT*
>>
>> *read -p "Drop all other ssh attempts?"* *iptables -A INPUT -p tcp
>> --dport ssh -j DROP*
>>
>> *read -p "Allow http traffic?"* *iptables -A INPUT -p tcp -m tcp
>> --dport 80 -j ACCEPT*
>>
>> *read -p "Allow https traffic?"* *iptables -A INPUT -p tcp -m tcp
>> --dport 443 -j ACCEPT*
>>
>> *read -p "Set policy: Drop forwarding connections?"* *iptables -P
>> FORWARD DROP*
>>
>> *read -p "Set policy: Drop other incoming connections?"* *iptables -P
>> INPUT DROP*
>>
>> *read -p "Set policy: Drop outgoing connections?"* *iptables -P
>> OUTPUT DROP*
>> _______________________________________________
>> colug-432 mailing list colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>
> _________________________________________________
> colug-432 mailing list colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150513/a74164d1/attachment-0001.html 


More information about the colug-432 mailing list