Iptables for one way communication

Hi,

I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.

I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X

iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
raghuniAsked:
Who is Participating?
 
ravenplConnect With a Mentor Commented:
I think You need allow some UDP responces to get to Your box, like DNS
iptables -I INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
or even replace the line: ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
with: iptables -I INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
0
 
ravenplCommented:
> I am also able to ping to other machines but not able to access internet in my machine.
You mean You can't browse the internet from Your box? If so, then ask another firewall which stands between Your box and the internet.
0
 
raghuniAuthor Commented:
If i disable the IPtable rule in my machine, i am able to access Internet.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ahoffmannCommented:
please post result of:

iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
0
 
raghuniAuthor Commented:
#iptables -L -n -t nat&&iptables -L -n -t mangle&&iptables -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
ahoffmannCommented:
> .. others can not do ssh to my machine
add following rule:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
0
 
raghuniAuthor Commented:
Thats really great catch. I already did the same (Enabling UDP) and it worked in great way. Thank you for your all help.
0
 
ahoffmannCommented:
so the UDP rule solved your problem with ssh?
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.