All geek questions in one place

Allow ssh inbound / outbound and block all outbound except specific ports

I am trying to create iptable rules that allow incoming and outgoing ssh connections, and then allow outgoing connections to specific ports, and then finally discard anything that doesn't match.

These are the rules that I came up with, the SSH rules work, but when I go into the box, I can not access http (port 80), although I allowed it. Can anyone spot a mistake?

#!/bin/bash #clear iptables iptables -F iptables -X #set default policy to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #accept everything no matter port on localhost iptables -A INPUT -i lo -j ACCEPT #allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow input on port 22, (established connections auto accepted) iptables -A INPUT -p tcp --dport 22 -j ACCEPT #allow traffic going to specific outbound ports iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT #... #drop anything that doesnt match the rules above iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP

Thank you for your time.

+6
source share
2 answers

You might want to add DNS ports, otherwise you will not be able to resolve host names.

Allow OUTPUT output for TCP and UDP port 53.

+7
source

You need to open port 80 for input and output with this rule:

 iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
0
source

Source: https://habr.com/ru/post/957379/

More articles:


All Articles