[colug-432] iptables

William Yang wyang at gcfn.net
Thu May 14 08:13:24 EDT 2015


You probably need outbound DNS (tcp/53, udp/53) for Yum to work 
properly.  Depending on your routing, you may need other protocols, too.

Egress filtering is pretty advanced to start with in iptables; you may 
want to profile your usage, maybe read a book or a few websites on 
firewall rule design, before you tackle it.  The old chestnut _Building 
Internet Firewalls_ or something like that, maybe?

On 2015-05-13 16:20, Rick Hornsby wrote:
>
>> On May 13, 2015, at 15:02, Steve VanSlyck <s.vanslyck at postpro.net 
>> <mailto:s.vanslyck at postpro.net>> wrote:
>>
>> I cannot figure out why yum is being blocked. I understood it 
>> requried only ports 80 and 443. The below is from my script:
> ...
>> *read -p "Allow http traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>> *
>> *read -p "Allow https traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT*
>
> Looks like your INPUT and OUTPUT are backwards.
>
> You need to allow OUTBOUND traffic to ports 80 and/or 443 to access 
> remote yum repositories.  But you are also using a paranoid DROP 
> policy on your output chain.
>
> Something else I noticed -
>
>> *iptables -A OUTPUT -o ppp0 -j ACCEPT*
>
> It looks like you're only allowing all outbound traffic on the 
> interface ppp0, which is not normally what I'd expect to see unless 
> you're using some kind of dialup or VPN *outbound* to provide the host 
> connectivity.  Usually if an interface is being specified, I'd expect 
> to see eth0, or in the case of CentOS 7 something along the lines of 
> enp0s3.  Either changing this, or fixing the two rules that you 
> highlighted will probably do the trick.
>
>
> one other note - at least for testing purposes you might want to use 
> REJECT instead of DROP.  When you use DROP the firewall does exactly 
> what the word implies - it silently drops the packets to the floor and 
> the application has no idea anything is wrong.  It is forced to time 
> out waiting for a response that will never come.  With REJECT iptables 
> sends an ICMP response immediately. That should help speed up your 
> development and troubleshooting greatly.
>
> http://ipset.netfilter.org/iptables.man.html
>
>
>>
>> *read -p "Flush all current rules?"
>> *
>> *iptables -F
>> *
>> *read -p "Accept connections to the loopback interface (localhost)?"
>> *
>> *iptables -A INPUT -i lo -j ACCEPT
>> *
>> *read -p "Accept connections from the loopback interface (localhost)?"
>> *
>> *iptables -A OUTPUT -o lo -j ACCEPT
>> *
>> *read -p "Allow outgoing connections?"
>> *
>> *iptables -A OUTPUT -o ppp0 -j ACCEPT
>> *
>> *read -p "Drop all pings?"
>> *
>> *iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
>> *
>> *read -p "Accept requested inbound traffic?"
>> *
>> *iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>> *
>> *read -p "Accept new and established ssh from specified IP?"
>> *
>> *iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state 
>> --state NEW,ESTABLISHED -j ACCEPT
>> *
>> *read -p "Allow established ssh to specified IP?"
>> *
>> *iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state 
>> --state ESTABLISHED -j ACCEPT
>> *
>> *read -p "Drop all other ssh attempts?"
>> *
>> *iptables -A INPUT -p tcp --dport ssh -j DROP
>> *
>> *read -p "Allow http traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>> *
>> *read -p "Allow https traffic?"
>> *
>> *iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>> *
>> *read -p "Set policy: Drop forwarding connections?"
>> *
>> *iptables -P FORWARD DROP
>> *
>> *read -p "Set policy: Drop other incoming connections?"
>> *
>> *iptables -P INPUT DROP
>> *
>> *read -p "Set policy: Drop outgoing connections?"
>> *
>> *iptables -P OUTPUT DROP*
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net <mailto:colug-432 at colug.net>
>> http://lists.colug.net/mailman/listinfo/colug-432
>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150514/b6397ee9/attachment.html 


More information about the colug-432 mailing list