no connection with Linode's recommended iptables setup (ubuntu 16.04)

Question

I have a Ubuntu 16.04 server on Linode.

My goal has been to run some webservers on a few ports and then connect to them using my host url, <my_id>.members.linode.com.

I installed Nginx and actually got this working. I could visit <my_url>:<my_port> and see my site.

Problems emerged when I attempt to add iptable rules as per their recommendations for securing the server. After running the following commands, I could not longer connect with this URL.

I'm seeing this error in my browser

This site can’t be reached
<url> refused to connect.

I can reproduce this error with the following scripts. Running the first makes me unable to connect. Running the second then allows me to connect again:

Sets up Linode recommended iptables rules

# setup_iptables.sh

rm /tmp/v4
rm /tmp/v6    cp ./tmp_v4_rules /tmp/v4
cp ./tmp_v6_rules /tmp/v6
iptables-restore < /tmp/v4
ip6tables-restore < /tmp/v6

Turns off firewall as recommended here

# stop_firewall.sh

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

In the start_iptables.sh script I am referring to files tmp_v4_rules and tmp_v6_rules. This is what they look like. These are taken from the Linode security guide I linked earlier.

tmp_v4_rules gets copied to /tmp/v4

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

tmp_v6_rules gets copied to /tmp/v6

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT

# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

I would appreciate a recommendation for how to debug this. I'm figuring the iptables recommendations are there for a reason, and its not a good thing that I have to turn off the firewall to connect to my site. Yet I have no idea what part of the iptables ruleset is failing.

From Michael's comment it was suggested to look at the log file. From here it's recommended to look at /var/log/kern.log to see the iptables rejections.

I do see a bunch of denies. In fact, it seems like everything is a deny. Here's one example:

Sep  1 09:58:31 li1196-141 kernel: iptables_INPUT_denied: 
IN=eth0 OUT= MAC=<OMMITTED> SRC=<OMMITTED> DST=<OMMITTED> LEN=60 
TOS=0x00 PREC=0x00 TTL=52 ID=63084 DF PROTO=TCP SPT=36306 DPT=23 
WINDOW=5808 RES=0x00 SYN URGP=0

really no idea what this means at all. No experience with iptables. I have 600 unique deny logs. Not sure what to look for.

Some more logs from /var/log/kern.log:

I cleared out the file, ran the first script, tried to connect, then these 5 files appeared. Refreshing the browser window did not add more lines to the log file.

Sep  2 02:55:15 li1196-141
kernel: iptables_INPUT_denied:
IN=eth0 OUT=
MAC=<OMMITTED>
SRC=<OMMITTED>
DST=<OMMITTED>
LEN=60 TOS=0x00 PREC=0x00
TTL=53 ID=33801 DF
PROTO=TCP SPT=34834
DPT=6066 WINDOW=14600
RES=0x00 SYN URGP=0 

Sep  2 02:55:15 li1196-141
kernel: iptables_INPUT_denied:
IN=eth0 OUT=
MAC=<OMMITTED>
SRC=<OMMITTED>
DST=<OMMITTED>
LEN=60 TOS=0x00 PREC=0x00
TTL=53 ID=34016 DF
PROTO=TCP SPT=34839
DPT=6066 WINDOW=14600
RES=0x00 SYN URGP=0 

Sep  2 02:55:15 li1196-141
kernel: iptables_INPUT_denied:
IN=eth0 OUT=
MAC=<OMMITTED>
SRC=<OMMITTED>
DST=<OMMITTED>
LEN=60 TOS=0x00 PREC=0x00
TTL=53 ID=31437 DF
PROTO=TCP SPT=34836
DPT=6066 WINDOW=14600
RES=0x00 SYN URGP=0 

Sep  2 02:55:15 li1196-141
kernel: iptables_INPUT_denied:
IN=eth0 OUT=
MAC=<OMMITTED>
SRC=<OMMITTED>
DST=<OMMITTED>
LEN=60 TOS=0x00 PREC=0x00
TTL=53 ID=62629 DF
PROTO=TCP SPT=34835
DPT=6066 WINDOW=14600
RES=0x00 SYN URGP=0

I'm pretty sure this is the right logs for my connection attempt. My webserver is running on port 6066 and in the log I see DPT=6066

Check the system log. That firewall logs rejected connections, and you should have a corresponding log entry. — Michael Hampton, Sep 02 '16 at 01:12
@MichaelHampton thank you for the advice. I've added a log entry to the end of the question. — max pleaner, Sep 02 '16 at 01:25
That's to port 23 (telnet). A proper thing for the firewall to reject. Keep looking for more log entries. — Michael Hampton, Sep 02 '16 at 01:26
@MichaelHampton I have over 600 unique log lines. What should I be looking for? — max pleaner, Sep 02 '16 at 01:32
@MichaelHampton of course; I cleared out the log file, set the rules, then added the new logs to the end of the question. — max pleaner, Sep 02 '16 at 02:59
It looks like you're trying to connect to TCP port 6066. Why is that? — Michael Hampton, Sep 02 '16 at 03:34
Thats the port my webserver is running on. I have another app running on a different port as well. It's basically my.website.com:6066. This works when the firewall is disabled. And honestly the number was a random choice — max pleaner, Sep 02 '16 at 03:35
@MichaelHampton thank you, you're right. I solved it by copying the `-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT` line for the other ports I was using. You can post an answer if you want and I'll accept it Otherwise I'll write one myself — max pleaner, Sep 02 '16 at 03:45

score 1 · Answer 1 · answered Sep 02 '16 at 03:49

As Michael noticed, I was trying to connect over some arbitrary ports (6066, 1234, 9292) but I wasn't whitelisting these ports in the iptables config.

I added the following lines:

-A INPUT -p tcp --dport 6066 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 1234 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 9292 -m state --state NEW -j ACCEPT

then ran the my setup_iptables.sh script to load the new rules.

no connection with Linode's recommended iptables setup (ubuntu 16.04)

1 Answers1