2

I have the follwing iptables rules:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  localhost.localdomain  anywhere            tcp dpt:mysql 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:14443 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:xxxxxxx 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

When I turn off iptables I am able to use wget and all other commands. When these rules are enabled I cannot connect to any address. Any idea why this would be?

Wesley
  • 32,320
  • 9
  • 80
  • 116
arrowill12
  • 229
  • 1
  • 3
  • 7
  • ShaneMadden's answer below is correct, but you should also add a rule to allow any traffic on the `lo` interface. Then you can remove that mysql rule. This isnt strictly required, but it can help resolve potential issues. – phemmer Apr 10 '12 at 06:08

1 Answers1

6

You're blocking the responses to the DNS queries - and the responses to the HTTP TCP connections, for that matter.

Put a rule in your INPUT chain to allow established connections and traffic related to established connections (like ICMP information regarding problems with routing).

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 1
    is ip_conntrack needed for this? I am on a vps and cannot install kernal modules – arrowill12 Apr 10 '12 at 04:03
  • Ouch, no conntrack? An alternative would be to allow traffic with source ports that you'd be connecting to (like UDP/53, TCP/80), but that's not terribly good from a security perspective.. they really left conntrack out on you?? – Shane Madden Apr 10 '12 at 04:32
  • im pretty sure its not there theres ntohing in my modules folder – arrowill12 Apr 10 '12 at 04:47
  • @user1272737 Are you sure you mean VPS and not shared web hosting? If you have root access, and youre the only one using the virtual server (and I'm guessing you are since youre messing with iptables), you can do whatever you want with it, and **add any kernel module you want**. Also just because its not a module doesnt mean its not built into the kernel. What linux distribution are you using? – phemmer Apr 10 '12 at 06:03
  • 1
    im pretty sure i cant its through godaddy and i have recently figure out that it is not really centos but a custom build called OpenVZ or possibly another similar distro heres a link with info: [when centos isnt centos](http://wiki.centos.org/AdditionalResources/OtherSpins) .when speaking with godaddy techs they said if i modified the kernal it would orphan my system because it has to match the parents kernal – arrowill12 Apr 10 '12 at 06:25
  • how would i find out if i have it installed? – arrowill12 Apr 10 '12 at 06:26
  • Check `/lib/iptables/` for the `state` module. – Shane Madden Apr 10 '12 at 15:30
  • libipt_state.so is that it? – arrowill12 Apr 10 '12 at 16:39
  • Yup. Try adding the rule? – Shane Madden Apr 10 '12 at 16:53
  • it worked! so what exactly does that rule do? – arrowill12 Apr 10 '12 at 16:58
  • Allows inbound response traffic to connections that were initiated from the local system heading outbound. So if your server makes a DNS query, the response is allowed by the `INPUT` chain, and when it initiates a TCP connection for something like HTTP, the traffic coming from the remote server is allowed. – Shane Madden Apr 10 '12 at 17:30