[colug-432] iptables
William Yang
wyang at gcfn.net
Thu May 14 08:13:24 EDT 2015
You probably need outbound DNS (tcp/53, udp/53) for Yum to work
properly. Depending on your routing, you may need other protocols, too.
Egress filtering is pretty advanced to start with in iptables; you may
want to profile your usage, maybe read a book or a few websites on
firewall rule design, before you tackle it. The old chestnut _Building
Internet Firewalls_ or something like that, maybe?
On 2015-05-13 16:20, Rick Hornsby wrote:
>
>> On May 13, 2015, at 15:02, Steve VanSlyck <s.vanslyck at postpro.net
>> <mailto:s.vanslyck at postpro.net>> wrote:
>>
>> I cannot figure out why yum is being blocked. I understood it
>> requried only ports 80 and 443. The below is from my script:
> ...
>> *read -p "Allow http traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>> *
>> *read -p "Allow https traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT*
>
> Looks like your INPUT and OUTPUT are backwards.
>
> You need to allow OUTBOUND traffic to ports 80 and/or 443 to access
> remote yum repositories. But you are also using a paranoid DROP
> policy on your output chain.
>
> Something else I noticed -
>
>> *iptables -A OUTPUT -o ppp0 -j ACCEPT*
>
> It looks like you're only allowing all outbound traffic on the
> interface ppp0, which is not normally what I'd expect to see unless
> you're using some kind of dialup or VPN *outbound* to provide the host
> connectivity. Usually if an interface is being specified, I'd expect
> to see eth0, or in the case of CentOS 7 something along the lines of
> enp0s3. Either changing this, or fixing the two rules that you
> highlighted will probably do the trick.
>
>
> one other note - at least for testing purposes you might want to use
> REJECT instead of DROP. When you use DROP the firewall does exactly
> what the word implies - it silently drops the packets to the floor and
> the application has no idea anything is wrong. It is forced to time
> out waiting for a response that will never come. With REJECT iptables
> sends an ICMP response immediately. That should help speed up your
> development and troubleshooting greatly.
>
> http://ipset.netfilter.org/iptables.man.html
>
>
>>
>> *read -p "Flush all current rules?"
>> *
>> *iptables -F
>> *
>> *read -p "Accept connections to the loopback interface (localhost)?"
>> *
>> *iptables -A INPUT -i lo -j ACCEPT
>> *
>> *read -p "Accept connections from the loopback interface (localhost)?"
>> *
>> *iptables -A OUTPUT -o lo -j ACCEPT
>> *
>> *read -p "Allow outgoing connections?"
>> *
>> *iptables -A OUTPUT -o ppp0 -j ACCEPT
>> *
>> *read -p "Drop all pings?"
>> *
>> *iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
>> *
>> *read -p "Accept requested inbound traffic?"
>> *
>> *iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>> *
>> *read -p "Accept new and established ssh from specified IP?"
>> *
>> *iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state
>> --state NEW,ESTABLISHED -j ACCEPT
>> *
>> *read -p "Allow established ssh to specified IP?"
>> *
>> *iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state
>> --state ESTABLISHED -j ACCEPT
>> *
>> *read -p "Drop all other ssh attempts?"
>> *
>> *iptables -A INPUT -p tcp --dport ssh -j DROP
>> *
>> *read -p "Allow http traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>> *
>> *read -p "Allow https traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>> *
>> *read -p "Set policy: Drop forwarding connections?"
>> *
>> *iptables -P FORWARD DROP
>> *
>> *read -p "Set policy: Drop other incoming connections?"
>> *
>> *iptables -P INPUT DROP
>> *
>> *read -p "Set policy: Drop outgoing connections?"
>> *
>> *iptables -P OUTPUT DROP*
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net <mailto:colug-432 at colug.net>
>> http://lists.colug.net/mailman/listinfo/colug-432
>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150514/b6397ee9/attachment.html
More information about the colug-432
mailing list