2

Can someone please explan why IPTABLES is blocking any ports in this list of rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

To me it looks like the line ACCEPT ALL should accept all traffic but this isnt the case.

DD.
  • 3,024
  • 10
  • 34
  • 50
  • If you add the `-v` option to your `iptables -L` statement it will show you the hit counts for each rule. This can be invaluable in determining why a ruleset isn't working the way you expect. – Ladadadada May 14 '12 at 08:43
  • what exactly is it not-accepting? what kind of packets? Packets for your machine, or is your machine acting as a router, and it rejects packets destined for other computers "behind" your machine? With current rules, your machine would accept all packets with its destination IP, but REJECT all packets that should be forwarded on. – mulaz May 14 '12 at 10:12
  • 1
    `-v` will also show if there are interface limits on any of the rules, which can be quite revealing. – user May 14 '12 at 13:01

2 Answers2

6

Your iptables should be looked at for every chain.

  1. All traffic is accepted in INPUT chain.
  2. All traffic is accepted in OUTPUT chain.
  3. All traffic is rejected in FORWARD chain even with default policy set to ACCEPT.

In summary, your firewall is allowing all incoming and outgoing connections. However, it is rejecting to forward any packet to any other host.

The general rule is to follow your iptables rules in order for a match. If none is matched apply the default chain policy.

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • Why can I not connect to a particular port on my box unless I disable iptables? – DD. May 14 '12 at 12:51
  • If you need to forward traffic through iptables box, you need to allow that traffic not reject everything in `FORWARD` chain. Also, you need to make sure you have IP forwarding enabled. – Khaled May 14 '12 at 12:56
0
 pkts bytes target     prot opt in     out     source               destination
 6741  691K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    1    84 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere

It turns out that what I thought was allowing all traffic through was only allowing loopback traffic (i.e. "lo") around.

DD.
  • 3,024
  • 10
  • 34
  • 50