Set generic iptables rules?

Question

This may be a really dumb question but how can you open a port on multiple interfaces without defining the interfaces? For example how do I open port 22 on all interfaces?

On my machine I have some interfaces that are dynamic and may or may not be available so I have to set "generic" rules.

This code is not working for me but I can't figure out why:

# My default policy is to drop the input.
# The other policies are required like that.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT

#Open port 22 on all interfaces ?
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

So apparently there's something wrong with the last line... but I can't see it?

Edit: iptables -nvL

root@machine:/etc/rc.d# iptables -nvL
Chain INPUT (policy DROP 22 packets, 1378 bytes)
 pkts bytes target     prot opt in     out     source               destination
   18  1484 ACCEPT     all  --  *      *       192.168.0.0/24     192.168.0.1
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    4   236 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  192.168.0.1 *       0.0.0.0/0            0.0.0.0/0
   24  1362 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:443

Chain FORWARD (policy ACCEPT 490 packets, 194K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 49 packets, 35544 bytes)
 pkts bytes target     prot opt in     out     source               destination

Standard iptables comment: please add the output of `iptables -L -nv`. — Ladadadada, Apr 05 '12 at 22:51

score 3 · Accepted Answer · answered Apr 06 '12 at 00:55

According to your iptables -nvL output, you have a rule to drop all traffic coming in eth1. This is likely your issue.

The rule youre trying to add uses -A INPUT, so it appends the rule to the end of the chain. Given that there are other rules in your -nvL output that arent in your script, I'm guessing you have some other rules that are being applied elsewhere first.

The solution here is to change the -A INPUT to -I INPUT which will add the rule at the beginning, before the DROP rule.

You're absolutely right. The problem was the order of execution. After I changed a couple of lines and added `-I` everything started working fine. Thanks! :) — tftd, Apr 06 '12 at 01:36

Set generic iptables rules?

1 Answers1