Firewall rule with default policies is not working

Question

I have made a firewall rule bash script as:

    #!/bin/bash

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    ip6tables -P INPUT DROP
    ip6tables -P FORWARD DROP
    ip6tables -P OUTPUT DROP

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT

    #
    #       Outgoing and Incoming ping – on all interface
    #
    ip6tables -A INPUT -i bond0 -p ipv6-icmp -j ACCEPT
    ip6tables -A OUTPUT -o bond0 -p ipv6-icmp -j ACCEPT

    ip6tables -A INPUT -i bond1 -p ipv6-icmp -j ACCEPT
    ip6tables -A OUTPUT -o bond1 -p ipv6-icmp -j ACCEPT

    ip6tables -A INPUT -i bond2 -p ipv6-icmp -j ACCEPT
    ip6tables -A OUTPUT -o bond2 -p ipv6-icmp -j ACCEPT

    ip6tables -A INPUT -i bond3.243 -p ipv6-icmp -j ACCEPT
    ip6tables -A OUTPUT -o bond3.243 -p ipv6-icmp -j ACCEPT

    #
    #       ssh - 22/tcp
    #
    iptables -A INPUT -i bond1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o bond1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    iptables -A INPUT -i bond3.243 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o bond3.243 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    ip6tables -A INPUT -i bond1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    ip6tables -A OUTPUT -o bond1 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    ip6tables -A INPUT -i bond3.243 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    ip6tables -A OUTPUT -o bond3.243 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
    #
    #       Save the configuration
    #
    service iptables save
    service ip6tables save

    #
    #       dobackup
    #
    chmod a+r /etc/sysconfig/iptables
    chmod a+r /etc/sysconfig/ip6tables

Now whenever I apply this rules, I loss the ssh connectivity with my server. Then I need to stop ip6tables service to get back the ssh connectivity.

But when I change iptables -P OUTPUT DROP to iptables -P OUTPUT ACCEPT & ip6tables -P OUTPUT DROP to ip6tables -P OUTPUT ACCEPT, then this rule get implement as well and I did not lose the ssh connectivity.

I am not sure, exactly what is the issue. Some mistake in bash file or some which I don't know.Thanks for the support.

Answer 1

I think is more convinient method to allow inbound connection on ssh port without state control and allow outbound established and related connection.

Try to use rules:

iptables -A INPUT -i bond1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i bond3.243 -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Your server connot send other type of traffic because the last rule allow to send only ESTABLISHED and RELATED types.