Just Give Me the Beans!
hi, @The Cog, thanks for inputting. im new on all this, so could u elaborate more on '...makes it harder to add another ACCEPT clause on the fly'? i mean i could still add new rules to it right later? what will you suggest - to delete the rules, etc? but isnt thats 'to catch and drop anything not on the rules'?Originally Posted by The Cog
thank you,
<--- Run xman to see that window.
i don't feel qualified to say whether those rules are or are not sufficient. it must be 15 yrs since i did anything directly w/ iptables that wasn't part of a recipe. Sorry. Most of the time, i use ufw. When that isn't sufficient i pull out a book read just enough to solve the issue and move on. My router doesn't run Linux.
Good luck. Hope you solve it.
Just Give Me the Beans!
@TheFu it is ok and thanks for all the help and info
Ubuntu addict and loving it
If you were to run a command like
after those other rules are in place, that command will fail because the "-A INPUT -j DROP" command will precede it. Without that directive, any additional ACCEPT statements will simply be treated as exceptions to the overall INPUT policy.Code:/sbin/iptables -A INPUT ...
You can get around this limitation in some cases by using "-I INPUT" to put the added rule at the top of the chain. That might not be the correct place for it though.
As for forwarding, first off, Ubuntu like most modern distributions blocks the forwarding of packets between interfaces. Without a change to the file /etc/sysctl.conf, the default forwarding policy is thus DENY. If you enable packet forwarding in sysctl.conf, then you would need FORWARD rules to control which packets can be passed between interfaces.
I usually set the default OUTPUT policy to ACCEPT unless there's some specific reason not to. Those cases are rare.
Last edited by SeijiSensei; June 4th, 2020 at 05:09 PM.
If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.
Blog · Linode System Administration Guides · Android Apps for Ubuntu Users
Just Give Me the Beans!
Thanks for all the info guys, will apply the rules listed earlier, tomorrow, and update you people
First Cup of Ubuntu
You can also consider to install webmin, has a nice panel to manage de firewall.
http://www.webmin.com/deb.html
Ubuntu Member
Ubuntu listens on a lot of ports. It's why the "lo" interface is needed and is how services talk to each other. Spin up a VM with just the live CD and use netstat. Lots of things listening on lots of ports. It's used a lot
Just Give Me the Beans!
hi guys, not good as just apply the rules and i cant connect to the vpn now - vpn client cant connect to the vpn server. but i could connect to the server using ssh. here is the rules i hv applied-
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
sudo iptables -A INPUT -j DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
iptables-save > /etc/iptables/rules.v4 #saving the iptables then reboot the server
here is the rules.v4 file-
root@SG-UBUNTU-1:~# nano /etc/iptables/rules.v4 GNU nano 4.8 /etc/iptables/rules.v4
# Generated by iptables-save v1.8.4 on Sun Jun 7 00:56:49 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [142:22839]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sun Jun 7 00:56:49 2020
# Generated by iptables-save v1.8.4 on Sun Jun 7 00:56:49 2020
*nat
REROUTING ACCEPT [281:26125]
:INPUT ACCEPT [45:2700]
:OUTPUT ACCEPT [90:6340]
-A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source 103.125.217.43
COMMIT
# Completed on Sun Jun 7 00:56:49 2020
what hv i done wrong? pls help....
p/s - when i use openvpn to connect it will prompt to login again and again, and if use softether client, it could connect but would not get IP fr the vpn server. so it seems like i could connect to the server but the issue might be forward or output? im not sure as im not experience, just what i hv observe
Last edited by aboka; June 6th, 2020 at 06:11 PM.
Woof
That NAT stuff looks suspect to me. Try without that.
Just Give Me the Beans!
hi, are you saying to remove this line -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source 103.125.217.43
it was add in the vpn setup guide. thank you.
Adv Reply
Bookmarks