# iptables breaks internet

## ShadyMilkman

Well, I have my system running great and iptables compiled into my kernel, and I can add rules and stuff fine, but the problem is that as soon as I add a rule, to say, INPUT, my internet effectively shuts down. It acts as if my cable modem just got unplugged from the wall. If I remove the rule from iptables the internet then works again. Maybe it has to do with the way I'm writing the rule? Anyway, here's an example of something I'll do:

```

iptables -A INPUT -p tcp -s ! 127.0.0.1 --dport 3000 -j DROP

```

I do this because I run ntop which runs a mini-webserver on port 3000 that you connect to to view its stats, but I don't want just anybody looking. It doesn't just happen with this command though, I've tried it with the source only being a certain IP address for dport 22 (SSH from work) and it does the exact same thing. The policies are all ACCEPT for INPUT, OUTPUT, what am I doing wrong?

----------

## Aruspex

Is your default polcy set to Deny?  Type 'iptables -L' to check.

If this is the case, you would either need to set it to accept or create rules that allow traffic through.

[edit] I am sorry.  That was one of the more stupid things I have done   :Embarassed:   I should have read your whole post...

Try going to google and searching for a sample firewall script.  This will atleast let you know if you are building the rules properly.

----------

## rizzo

Perhaps post your entire iptables script would be more helpful for the forum crowd.

----------

## ShadyMilkman

That command was not a script..... I simply typed it in as root. I'll try a script when I get home.

----------

## Nitro

It isn't the command.  I think you have a problem with your kernel and netfilter.  Could you supply us with the output of: 

```
grep "IP_NF" /usr/src/linux/.config
```

Also, I doubt this is the problem, but could you also give us the output of 

```
iptables -L -v -n
```

----------

## ShadyMilkman

```

milkvan root# grep "IP_NF" /usr/src/linux/.config

# CONFIG_IP_NF_CONNTRACK is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

# CONFIG_IP_NF_MATCH_LIMIT is not set

CONFIG_IP_NF_MATCH_MAC=y

# CONFIG_IP_NF_MATCH_MARK is not set

# CONFIG_IP_NF_MATCH_MULTIPORT is not set

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_AH_ESP is not set

# CONFIG_IP_NF_MATCH_LENGTH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

CONFIG_IP_NF_MATCH_TCPMSS=y

CONFIG_IP_NF_MATCH_STEALTH=y

# CONFIG_IP_NF_MATCH_UNCLEAN is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

# CONFIG_IP_NF_TARGET_MIRROR is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_TARGET_TCPMSS is not set

CONFIG_IP_NF_ARPTABLES=y

# CONFIG_IP_NF_ARPFILTER is not set

```

and for iptables:

[code]

milkvan root# iptables -L -v -n

(couldn't get the output on here but it listed the three chains input, output, forward, said they were all accept, and listed how much data had gone accross each. no further information was shown).

----------

## Nitro

You have one wierd problem.  :Sad:   You tried recompiling your kernel? Maybe something is broke.  

If you want to play with your kernel, my server has the following, and it does work: 

```
CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_FTP=y

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_LIMIT=y

CONFIG_IP_NF_MATCH_MAC=y

CONFIG_IP_NF_MATCH_MARK=y

CONFIG_IP_NF_MATCH_MULTIPORT=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_AH_ESP=y

CONFIG_IP_NF_MATCH_LENGTH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_TCPMSS=y

# CONFIG_IP_NF_MATCH_STEALTH is not set

CONFIG_IP_NF_MATCH_STATE=y

# CONFIG_IP_NF_MATCH_UNCLEAN is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

# CONFIG_IP_NF_TARGET_MIRROR is not set

# CONFIG_IP_NF_NAT is not set

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_MARK=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

# CONFIG_IP_NF_ARPTABLES is not set

```

----------

## dcloues

Try replacing the line with

```
iptables -A INPUT -p tcp --dport 3000 -i ! lo -j DROP
```

That should have the intended effect; it will drop any tcp packets to port 3000 that aren't coming in on the loopback interface.  But, I have no clue why iptables is going crazy on rules that drop packets from specific addresses - that's bizarre.

----------

