Solved

Iptables for one way communication

Posted on 2006-06-27
8
534 Views
Last Modified: 2008-03-10
Hi,

I have my iptables rules as mentioned below.
With this i am able to do ssh to any of the machines in my network, and others can not do ssh to my machine....Upto this every thing is fine.

I am also able to ping to other machines but not able to access internet in my machine. My machine is in internal network. So, what other rules i must include to access internet from my machine.

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -t nat -X
iptables -t mangle -X
iptables -X

iptables -P INPUT DROP
iptables -p tcp -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
0
Comment
Question by:raghuni
  • 3
  • 3
  • 2
8 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16991686
> I am also able to ping to other machines but not able to access internet in my machine.
You mean You can't browse the internet from Your box? If so, then ask another firewall which stands between Your box and the internet.
0
 

Author Comment

by:raghuni
ID: 16993150
If i disable the IPtable rule in my machine, i am able to access Internet.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16996375
please post result of:

iptbales -L -n -t nat&&iptables -L-n -t mangle&&iptables -L -n
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:raghuni
ID: 16999051
#iptables -L -n -t nat&&iptables -L -n -t mangle&&iptables -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
                                                                                                                           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                                                                           
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16999514
> .. others can not do ssh to my machine
add following rule:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 200 total points
ID: 16999571
I think You need allow some UDP responces to get to Your box, like DNS
iptables -I INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
or even replace the line: ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
with: iptables -I INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
0
 

Author Comment

by:raghuni
ID: 17000778
Thats really great catch. I already did the same (Enabling UDP) and it worked in great way. Thank you for your all help.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17001428
so the UDP rule solved your problem with ssh?
Then you should check your sshd_config too, using reverse resolution is probably not what you want.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lock Down Lubuntu 27 257
Help with Security Onion/Snorby 14 104
CentOS 6.7 User Audit 3 96
SFTP restrict upload file only 2 36
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question