Results 1 to 3 of 3

Thread: Unable to ping outside network (Internet) with IPtables

  1. #1
    Join Date
    Jul 2006
    Beans
    Hidden!

    Unable to ping outside network (Internet) with IPtables

    I'm running a Ubuntu 11.04 server with IPtables. With the rules that I've set up, I'm unable to ping e.g. google.com. Pinging the Google IP address works though, as does pinging hostnames and IP addresses on my local network . Flushing IPtables rules rectifies this.

    Here's the IPtables filter list:
    Code:
    # Generated by iptables-save v1.3.3 on Thu Feb 15 16:40:09 2007
    *filter
    
    # HTTP
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 6543 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 6544 -j ACCEPT
    
    # UPnP
    -A INPUT -p udp -m udp --dport 1900 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2869 -j ACCEPT
    
    # NFS
    -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
    -A INPUT -p udp -m udp --dport 111 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
    -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 32765:32769 -j ACCEPT
    -A INPUT -p udp -m udp --dport 32765:32769 -j ACCEPT
    
    # Samba
    -A INPUT -p tcp -m multiport --dports 135,139,445 -j ACCEPT 
    -A INPUT -p udp -m multiport --dports 135,137,138,139,445 -j ACCEPT 
    -A INPUT -p udp --sport 137 -s 192.168.1.0/24 -j ACCEPT
    
    # BitTorrent
    -A INPUT -p tcp -m tcp --dport 8112 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 58846 -j ACCEPT
    -A INPUT -p udp -m udp --dport 58846 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 49160:49300 -j ACCEPT
    -A INPUT -p udp -m udp --dport 49160:49300 -j ACCEPT
    
    # VNC
    -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5900 -j ACCEPT
    
    # Rsync
    -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
    -A INPUT -p udp -m udp --dport 873 -j ACCEPT
    
    # Ping
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT 
    
    # The rest..
    -A INPUT -j DROP 
    -A OUTPUT -j ACCEPT 
    COMMIT
    I reckon there's a missing rule somewhere. Any suggestions? Thanks for all your help.

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,445
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Unable to ping outside network (Internet) with IPtables

    I do not see a path through your iptables for the answer to DNS inquiries. When you ping google.com by name, your server will ask your host DNS for the translation to IP address. That inquiry will done on your host DNS port 53.

    Your generic OUTPUT ACCEPT rule will allow the inquiry to go out, but there is no path for the answer. My suggestion is to add a line to allow input packets that are on related and esatblished connections. Something like this:
    Code:
     
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  3. #3
    Join Date
    Jul 2006
    Beans
    Hidden!

    Re: Unable to ping outside network (Internet) with IPtables

    Quote Originally Posted by Doug S View Post
    I do not see a path through your iptables for the answer to DNS inquiries. When you ping google.com by name, your server will ask your host DNS for the translation to IP address. That inquiry will done on your host DNS port 53.

    Your generic OUTPUT ACCEPT rule will allow the inquiry to go out, but there is no path for the answer. My suggestion is to add a line to allow input packets that are on related and esatblished connections. Something like this:
    Code:
     
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    Thanks! This did the trick.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •