PDA

View Full Version : [ubuntu] iptables does not appear to be reading from the config file



rhcm123
April 24th, 2009, 02:13 AM
I've setup iptables on my server for obvious reasons, and now seem to be having some trouble with it. It appears to not be reading the file i give it to use! For instance, i set to *specifically* disallow telnet, yet i can still telnet in. Here are my config files, see if you can spot what's wrong. Yes, i have been restarting my networking and i even rebooted the entire server once (there goes my 4 week uptime), but to no avail.

I have the following line in my /etc/network/interfaces file:

auto eth0
iface eth0 inet static
address 192.168.2.193
netmask 255.255.255.0
gateway 192.168.2.1
post-up iptables-restore < /etc/iptables.up.rules


and i have this set in /etc/iptables.up.rules
EDIT: ignore the line about UFW, if you start ufw then it deny's everything and kills your ssh connection. If you could tell me how to fix that it would be wonderful.


#IPTABLES UP FILES
#FOR UTILIZATION WITH UFW
#WRITTEN BY USSR
#11 APRIL 2009

# Flush old stuff before starting
# nevermind, this is a bad idea
# -f

# Generated by iptables-save v1.4.0 on Thu Apr 9 18:12:36 2009
*nat
:PREROUTING ACCEPT [1:60]
:POSTROUTING ACCEPT [5:848]
:OUTPUT ACCEPT [5:848]
COMMIT
# Completed on Thu Apr 9 18:12:36 2009

# Generated by iptables-save v1.4.0 on Thu Apr 9 18:12:36 2009
*mangle
:PREROUTING ACCEPT [61:4610]
:INPUT ACCEPT [61:4610]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62:10179]
:POSTROUTING ACCEPT [65:10691]
COMMIT
# Completed on Thu Apr 9 18:12:36 2009



# Main Filtering Rules
# This is kinda long
# Generated by iptables-save v1.4.0 on Thu Apr 9 18:12:36 2009
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# CONNECTION STATUS RULES
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Allow users to start new connections
-A INPUT -m state --state NEW -j ACCEPT
# Reject Broken Connections
-A INPUT -m state --state INVALID -j REJECT
# Reject Anonymous Connections
-A INPUT -m state --state UNTRACKED -j REJECT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# ICMP RULES Respond to pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# ACCEPT EXTERNAL IPP
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
# ACCEPT EXTERNAL SSH
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
# ACCEPT WEBMIN
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# ACCEPT SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# ACCEPT POP3
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# ACCEPT IMAP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# ACCEPT FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# ACCEPT HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# REJECT TELNET
-A INPUT -p tcp -m tcp --dport 23 -j REJECT
# REJECT EXTERNAL SSH
-A INPUT -p tcp -m tcp -s 192.168.2.1 --dport 22 -j REJECT
# ACCEPT SAMBA CONNECTIONS
-A INPUT -p tcp -m tcp -s 192.168.2.1 --dport 139 -j ACCEPT
COMMIT

ugriffin
April 24th, 2009, 02:27 AM
IPtables comes default with Ubuntu. Did you install guarddog or any other firewall management program?

Edit: Are you runnning Ubuntu Server?

rhcm123
April 24th, 2009, 02:38 AM
IPtables comes default with Ubuntu. Did you install guarddog or any other firewall management program?

Edit: Are you runnning Ubuntu Server?

i am using (well trying to use, as it's not really working) ufw as my iptables front-end. if you could help me with that it would be wonderful

yes, ubuntu server 8.10

rhcm123
April 30th, 2009, 11:33 PM
Bump, i haven't been particularly interested in this because i have another firewall before the server, but i want to stop a few ports on the server from accepting local connections.