iptables disables outbound traffic

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've created a script to add iptables rules.  It works great on the
input side -- allowing only requests for services explicitly mentioned.

Problem is it disables all outbound functionality.  With the firewall
running, I can't ssh or ftp FROM the server anywhere.  The server
doesn't balk at the request -- just can't process the incoming response

to the request.

Would be eternally grateful for enlightenment!  Script follows:

iptables --flush
iptables --delete-chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1812 -j ACCEPT
iptables -A INPUT -p tcp --dport 1813 -j ACCEPT
iptables -A INPUT -p udp --dport 1812 -j ACCEPT
iptables -A INPUT -p udp --dport 1813 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED - j


Re: iptables disables outbound traffic

Quoted text here. Click to load it

Hi there,

What does 'iptables -vnL' have to say?  It is also a good idea to log
dropped traffic for analysis during your learning phase.

With no output filtering (policy ACCEPT), you shouldn't have problems
getting out.  Did you intend to block localnet egress to Internet?

Note that the
  iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED - j ACCEPT

line should appear straight after the policy lines, you _want_ expected
return traffic to be dealt with first, then focus on what _new_ traffic
you want to let in to the server.


Re: iptables disables outbound traffic

Grant, you're a sweetheart!!  Moving that one line to after policies
did the trick.  Thank you, thank you, thank you.


Site Timeline