# Really simple iptables questions

## Dr_Stein

I have a server that needs to have about 3 ports opened. 21, 22, and 80. 

I found an iptables script that I think will do the trick.

iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT

iptables -A OUTPUT -p tcp -o eth0 --dport 25 -j ACCEPT

iptables -A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --policy INPUT   DROP

iptables --policy OUTPUT  DROP

iptables --policy FORWARD DROP

The machine does not need to do any NAT/PAT/erouting/etc. All it needs to do is allow traffic IN on port 21, 22, 80, and to dump the rest into the bitbucket.

The question is this - where does the above script go? I have nothing in /var/lib/iptables, and when I start it I get this:

tritip iptables # /etc/init.d/iptables start

 * Caching service dependencies ...                                                              [ ok ]

 * Not starting iptables.  First create some rules then run:

 * /etc/init.d/iptables save

tritip iptables #

Ok, great. WHERE do I create rules and save them? Just put a file in /var/lib/iptables? I've read the howto and the iptables howto too.. this isn't the first time I've used iptables, but the last time it was a *really* homebrewed configuration on some old Red Hat box. I'm sort of confused about some of this stuff and can't risk locking myself out of the box by accident, either.  :Smile: 

Anyone got a moment to give me a few pointers?

----------

## geeojr

You are on the right track...

 *Quote:*   

> iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
> 
> iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> 
> iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
> ...

 

By create your rules, it means issue the commands as you've described here. I usually save my iptables setup in a script so I can alter and adjust as necessary.

Once you've got your rules loaded into your system, then you'll need to save them:

```
# /etc/init.d/iptables save
```

Once they've been saved, then you can start iptables and add it to your boot runlevel... 

```
# /etc/init.d/iptables start

# rc-update add iptables boot
```

If you make any changes at runtime, you can opt to save at that time OR rely on it to save at shutdown.Last edited by geeojr on Mon Oct 17, 2005 2:50 am; edited 1 time in total

----------

## Dr_Stein

uh oh..

tritip ~ # iptables -A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name

tritip ~ # 

I didn't get much farther..

----------

## geeojr

 *Dr_Stein wrote:*   

> iptables: No chain/target/match by that name
> 
> I didn't get much farther..

 

This usually suggests that you may not have enabled all of these features in your kernel.

----------

## Dr_Stein

I'm currently using gentoo-sources 2.4 but am now downloading and installing sys-kernel/gentoo-sources-2.6.12-r10

- I will make the new kernel and then update this thread. I have seen many threads with a similar issue but not too many solutions.

----------

## Dr_Stein

Well, the 2.6 kernel allowed me to actually put some rules in. w00t!

Here's what I have so far:

iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT

iptables -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp -o eth0 --dport 25 -j ACCEPT

iptables -A INPUT  -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --policy INPUT   DROP

iptables --policy OUTPUT  DROP

iptables --policy FORWARD DROP

---

Can someone explain what the last 3 lines are for? My basic needs for this are to allow FTP, SSH, and HTTP and allow SMTP *out* from the local machine. Nothing more. (Eventually I'll need to allow DNS zone transfers from 1 particular IP, but I want to get the basics working first)

Thanks!

----------

## magic919

They change the overall rule for non-matching packets to 'drop' for input, output and forwarded packets.  Anything not specifically permitted by one of the rules higher up the chain gets dropped.

----------

## nephros

--policy sets the _default_ rule for that chain. It gets applied when none of the other rules match.

Note that if you have all those rules in a script, you should add a rule for flushing everything before the rest of the script is run. Otherwise the rules get _added_ to all existing rules that might be in effect at the time the script is run.

To flush all rules, I do the following:

```
/bin/echo -en "flushing tables "

for c in $(cat /proc/net/ip_tables_names 2>/dev/null); do

  /bin/echo -en "$c "

  iptables -t $c -F

done
```

Simply doing "iptables -F" is NOT enough because this way only the filter table gets flushed (iptables defaults to -t filter), leaving the other two (nat and mangle) as they are.

You could move the --state ESTABLISHED... rules to the top of the script.

The reasoning is that packets belonging to an established connection should match and get accepted first so the kernel doesn't have to go through all the other rules.

Doesn't make much difference in the small script you are using but it's good practice should your script ever get a bit more complicated.

Hope that helps more than it confuses  :Wink: 

----------

## Dr_Stein

Thanks for the tips & explanation.  :Very Happy: 

I did run into something else, though. I can't ping/nslookup/ssh *out* from the box. heh.

here's iptables -L

tritip ~ # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpts:netbios-ns:netbios-ssn

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:426

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds

ACCEPT     all  --  localhost            anywhere

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy DROP)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

tritip ~ #

I thought that the iptables -A INPUT -s 127.0.0.1 -j ACCEPT line would work. nope.

----------

## nephros

INPUT only refers to packets actually coming from outside of the box.

Locally generated packets will only go into the OUTPUT chain. As you are not allowing connections _to_ port 22 in the OUTPUT chain, you can't ssh out.

The same goes for ICMP (ping) packets. For those to work you have to at least allow icmp type "echo-request" (ping) packets _out_, and icmp type "echo-reply" (pong) _into_ the box, so the replies from the pinged network don't get dropped when they return your ping.

It is generally a good idea to allow other kinds of ICMP packets (like for example destination-unreachable and fragmentation-needed) also, to help keep your connections healthy.

Perhaps see the iptables section of the Gentoo Security Handbook on this.

Or the Gentoo Wiki iptables HOWTO

----------

## magic919

I'd consider just opening OUTPUT chain to policy ACCEPT if you have good control over the server.  Makes life simpler.

----------

