iptables actively refused everything despite exceptions

Question

I was following the centos wiki page on iptables but no mater what I change only port 22 opens. Using various port scanning websites they all say the server is actively refusing connections on all other ports.

Here is the iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

From what I understand INPUT (policy DROP) should drop all traffic that does not have a defined rule, and I set the rules to accept port 443/25/465 exc. but they all show up blocked. Yet port 22 (ssh) is unblocked and works fine.

Does anyone understand what i'm doing wrong?

score 0 · Answer 1 · answered May 28 '15 at 19:05

Its been awhile since I've done iptables but I think you want to have a rule that always allows established connections:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

See this post: What is "state RELATED,ESTABLISHED" in iptables?

El Chapo Gluzman · Answer 2 · 2015-05-28T20:02:19.297

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

All that command does is add a rule allowing SSH connections over tcp port 22.

You need to:

-Load the state module

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-Set the default policy on a chain

iptables -P INPUT DROP

-Set default policy to drop

iptables -P FORWARD DROP

-Then you start establshing rules ala:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

or

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

or allow all incoming SSH, HTTP and HTTPS traffic in one line

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

score 0 · Answer 3 · answered May 28 '15 at 20:03

0

Two thoughts:

1) Do you have services running on those other ports? (netstat -an) 2) Is the server hosted somewhere, like a home ISP, that doesn't allow incoming connections on those other ports?

answered May 28 '15 at 20:03

SteveS

1

iptables actively refused everything despite exceptions

3 Answers3