?
Solved

Iptables for one way communication

Posted on 2006-06-27
8
Medium Priority
?
569 Views
Last Modified: 2008-03-10
Hi,

I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.

I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X

iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
0
Comment
Question by:raghuni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16991686
> I am also able to ping to other machines but not able to access internet in my machine.
You mean You can't browse the internet from Your box? If so, then ask another firewall which stands between Your box and the internet.
0
 

Author Comment

by:raghuni
ID: 16993150
If i disable the IPtable rule in my machine, i am able to access Internet.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16996375
please post result of:

iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
0
Quick Cloud Training

Looking for some quick training on the cloud in 2 hours or less? Check out these how-to guides in AWS, Linux, OpenStack, Azure, and more!

 

Author Comment

by:raghuni
ID: 16999051
#iptables -L -n -t nat&&iptables -L -n -t mangle&&iptables -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16999514
> .. others can not do ssh to my machine
add following rule:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 600 total points
ID: 16999571
I think You need allow some UDP responces to get to Your box, like DNS
iptables -I INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
or even replace the line: ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
with: iptables -I INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
0
 

Author Comment

by:raghuni
ID: 17000778
Thats really great catch. I already did the same (Enabling UDP) and it worked in great way. Thank you for your all help.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17001428
so the UDP rule solved your problem with ssh?
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
0

Featured Post

Use Filtering Commands to Process Files in Linux

Learn how to manipulate data with the help of various filtering commands such as `cat`, `fmt`, `pr`, and others in Linux.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month12 days, 19 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question