# [Solved] Configuring iptables

## stunirvana21

I am trying to set up a firewall on my web/email server. I have come up with the list of following rules, but when I enable them, I lose the ability to use roundcube. I can't figure out which ports I need to open to allow for this.

My rules:

```

/sbin/iptables -F

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -s x.a.com -j ACCEPT ##where x is the hostname and a is the domain

/sbin/iptables -A INPUT -i eth0 -s a.com -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 25 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 110 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 143 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 443 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 993 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 995 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p TCP --dport 2222 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -j DROP

```

I have 2222 open because I am running ssh on that port instead of 22. I am running postfix, dovecot, apache, ssh, and roundcube. Those are the only services I need to have ports open for.

EDIT: Updated rulesLast edited by stunirvana21 on Thu Aug 15, 2013 10:43 pm; edited 2 times in total

----------

## PaulBredbury

Your ruleset is incomplete, I suggest you google for an example ruleset.

E.g. you are missing:

```
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
```

----------

## stunirvana21

 *PaulBredbury wrote:*   

> Your ruleset is incomplete, I suggest you google for an example ruleset.
> 
> E.g. you are missing:
> 
> ```
> ...

 

I added that one at one point, but it didn't appear to help so I removed it. 

I was going to try to do logging and see what port(s) were being blocked when I accessed roundcube. However, I don't have that module in the kernel and I am running a paravirtual kernel on a VM server I don't have control of.

Also, see my updated rules in the first post.

----------

## stunirvana21

Actually, I think what PaulBredbury suggested fixed my issue. I swear I tried it before, but maybe I didn't have the rules for my host.domain and domain in then.

----------

