iptables actively refused everything despite exceptions

Question

I was following the centos wiki page on iptables but no mater what I change only port 22 opens. Using various port scanning websites they all say the server is actively refusing connections on all other ports.

Here is the iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

From what I understand INPUT (policy DROP) should drop all traffic that does not have a defined rule, and I set the rules to accept port 443/25/465 exc. but they all show up blocked. Yet port 22 (ssh) is unblocked and works fine.

Does anyone understand what i'm doing wrong?

posted it. I still have no idea why it blocks everything but ssh. — MSQLnoob020983, May 29 '15 at 17:22

score 0 · Answer 1 · answered May 28 '15 at 19:05

0

Its been awhile since I've done iptables but I think you want to have a rule that always allows established connections:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

See this post: What is "state RELATED,ESTABLISHED" in iptables?

answered May 28 '15 at 19:05

Cfreak

125
1
12

Still blocking everything, thanks though. – MSQLnoob020983 May 28 '15 at 19:11
you might need to specify it for each port as in `iptables -A INPUT -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT` – Cfreak May 28 '15 at 19:13
did iptables -F, redid all the rules that way, no effect. – MSQLnoob020983 May 28 '15 at 19:20

El Chapo Gluzman · Answer 2 · 2015-05-28T20:02:19.297

0

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

All that command does is add a rule allowing SSH connections over tcp port 22.

You need to:

-Load the state module

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-Set the default policy on a chain

iptables -P INPUT DROP

-Set default policy to drop

iptables -P FORWARD DROP

-Then you start establshing rules ala:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

or

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

or allow all incoming SSH, HTTP and HTTPS traffic in one line

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

edited May 28 '15 at 20:02

answered May 28 '15 at 19:22

El Chapo Gluzman

396
2
16

Tried, did not work. Thanks though. Still blocking everything but port 22. – MSQLnoob020983 May 28 '15 at 19:29
Did you change the rules according to ports like iptables -A INPUT -p tcp --dport 80 -j ACCEPT – El Chapo Gluzman May 28 '15 at 19:38
Yep. Am I wrong in thinking that iptables -F opens all ports if all policy's are set to accept? Because right now I have 0 rules, everything on accept and it's still blocking everything but port 22. Maybe Iptables is not the problem. – MSQLnoob020983 May 28 '15 at 19:47
Your being locked out by the default filter policies not being removed when you run the iptables -F command; you're setting the policy to default deny/accept and then flushing all the rules that let you in. -F flushes all the rules...that's your problem. You are deleting all existing rules everytime you run -F – El Chapo Gluzman May 28 '15 at 19:54
That's exactly what im trying to do. If I have all ports open, no firewall blocking anything and i'm still being blocked then something is wrong with my system. – MSQLnoob020983 May 28 '15 at 20:05
@MSQLnoob020983 You will be actively rejected (blocked) on all ports that don't have a service listening on them. If you only have SSH running then all other ports will be blocked. This is how TCP/IP works, nothing is wrong with your system. IPTables reject rule behave the same as a port that has no listener. – BillThor May 29 '15 at 00:23
@BillThor Well dam. That solved it. Thank you. I had installed apache on the server but forgot to set the service to start every time on boot. When I could not get the default index.html page to display I jumped to "something must be wrong with the firewall". – MSQLnoob020983 May 29 '15 at 17:27

score 0 · Answer 3 · answered May 28 '15 at 20:03

0

Two thoughts:

1) Do you have services running on those other ports? (netstat -an) 2) Is the server hosted somewhere, like a home ISP, that doesn't allow incoming connections on those other ports?

answered May 28 '15 at 20:03

SteveS

1
1

1. I'm not entirely sure what i'm looking at with netstat. It dumped a lot of stuff to console. 2. It's a digital ocean virtual server. I have quite a few running, all same OS and iv never had this problem before. – MSQLnoob020983 May 28 '15 at 20:10
Try to run netstat -an | grep 80 to see if http is listening. Substitute 443 and 25 for https and smtp, respectively. Post results back here. – SteveS May 29 '15 at 21:52

iptables actively refused everything despite exceptions

3 Answers3