I'm trying to setup an iptables config such that outbound connections from my CentOS 6.2 server are allowed ONLY if they are of state ESTABLISHED. Currently, the following setup is working great for sshd, but all the Samba rules get totally ignored for a reason I cannot figure out.

iptables Bash script to setup ALL rules:

# Remove all existing rules
iptables -F

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22222 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming Samba
iptables -A INPUT -i eth0 -s -p udp --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -d -p udp --sport 137:138 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -d -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT

# Enable these rules
service iptables restart

iptables rule list after running the above script:

[root@repoman ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:22222 state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:22222 state ESTABLISHED

Ultimately, I'm trying to restrict Samba the same way I have done for sshd. In addition, I'm trying to restrict connections to the following IP address range: -

Can you guys offer some pointers or possibly even a full-blown solution? I've read man iptables quite extensively, so I'm not sure why the Samba rules are getting thrown out.

Additionally, removing the -s flags don't change the fact the rules get ignored.

  • 237
  • 1
  • 6
  • 12

2 Answers2


You don't understand what the connection states mean. NEW means that this is the first packet in a connection, which in the case of TCP is the first SYN packet. ESTABLISHED means that the packet belongs to an existing connection, which in the case of TCP is everything after the first SYN packet. In order for a connection to get into ESTABLISHED state, that first packet needs to get through. By only allowing ESTABLISHED connections you are blocking that first packet, and so connections will never be established.

The way that connection tracking is usually used when setting up iptables is to police the first packet of each connection (i.e. state NEW), and then allow all packets in ESTABLISHED state through. Since a connection can only get into ESTABLISHED state if the first packet was allowed, it is safe to accept all packets in ESTABLISHED state.

  • 30,036
  • 7
  • 76
  • 121
  • I think you misunderstood what I said. That's EXACTLY what I'm doing for SSH connections, so clearly I understand states; specifically, incoming connections can be of state NEW or ESTABLISHED, whereas outbound connections must be ESTABLISHED otherwise they aren't allowed. I don't understand why you think what I did was wrong. Maybe I'm misunderstanding you too. – Eric Jun 04 '12 at 14:26

It's the service iptables restart at the end that is the problem. When you run the iptables commands, those rules are put into effect immediately. The iptables service you're restarting there uses a configuration file to load all the firewall rules when the system starts up. When you run it, it replaces all the rules you just made with whatever was in the stored configuration.

According to this what you're supposed to do is use the iptables commands to make the firewall work right, then service iptables save to save the firewall configuration for next boot.

  • 19,313
  • 2
  • 35
  • 51
  • OMG you're probably right! I feel dumb now :) I'll try this out tonight when I'm home (I need to be on my LAN to test), then if it works I'll give you credit for this. Thanks! – Eric Jun 04 '12 at 14:28
  • IT WORKS! http://www.yourethemannowdog.com/ – Eric Jun 04 '12 at 14:56