Solved

Iptables for one way communication

Posted on 2006-06-27
8
561 Views
Last Modified: 2008-03-10
Hi,

I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.

I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X

iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
0
Comment
Question by:raghuni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16991686
> I am also able to ping to other machines but not able to access internet in my machine.
You mean You can't browse the internet from Your box? If so, then ask another firewall which stands between Your box and the internet.
0
 

Author Comment

by:raghuni
ID: 16993150
If i disable the IPtable rule in my machine, i am able to access Internet.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16996375
please post result of:

iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:raghuni
ID: 16999051
#iptables -L -n -t nat&&iptables -L -n -t mangle&&iptables -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16999514
> .. others can not do ssh to my machine
add following rule:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 200 total points
ID: 16999571
I think You need allow some UDP responces to get to Your box, like DNS
iptables -I INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
or even replace the line: ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
with: iptables -I INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
0
 

Author Comment

by:raghuni
ID: 17000778
Thats really great catch. I already did the same (Enabling UDP) and it worked in great way. Thank you for your all help.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17001428
so the UDP rule solved your problem with ssh?
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question