Solved

Iptables for one way communication

Posted on 2006-06-27
8
526 Views
Last Modified: 2008-03-10
Hi,

I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.

I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X

iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
0
Comment
Question by:raghuni
  • 3
  • 3
  • 2
8 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16991686
> I am also able to ping to other machines but not able to access internet in my machine.
You mean You can't browse the internet from Your box? If so, then ask another firewall which stands between Your box and the internet.
0
 

Author Comment

by:raghuni
ID: 16993150
If i disable the IPtable rule in my machine, i am able to access Internet.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16996375
please post result of:

iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
0
 

Author Comment

by:raghuni
ID: 16999051
#iptables -L -n -t nat&&iptables -L -n -t mangle&&iptables -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 16999514
> .. others can not do ssh to my machine
add following rule:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 200 total points
ID: 16999571
I think You need allow some UDP responces to get to Your box, like DNS
iptables -I INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
or even replace the line: ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
with: iptables -I INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
0
 

Author Comment

by:raghuni
ID: 17000778
Thats really great catch. I already did the same (Enabling UDP) and it worked in great way. Thank you for your all help.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17001428
so the UDP rule solved your problem with ssh?
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now