raghuni
asked on
Iptables for one way communication
Hi,
I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.
I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X
iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.
I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X
iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
ASKER
If i disable the IPtable rule in my machine, i am able to access Internet.
please post result of:
iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
ASKER
#iptables -L -n -t nat&&iptables -L -n -t mangle&&iptables -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
> .. others can not do ssh to my machine
add following rule:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
add following rule:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thats really great catch. I already did the same (Enabling UDP) and it worked in great way. Thank you for your all help.
so the UDP rule solved your problem with ssh?
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
You mean You can't browse the internet from Your box? If so, then ask another firewall which stands between Your box and the internet.