IPtables configuration





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







0















First, i'm sorry for my english, not my first language.



I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.



I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...



What did i do wrong ?



Thanks in advance !



  #!/bin/bash
#iptables-restore < /etc/iptables.test.rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

# Autorise uniquement les processus de l'utilisateur tor à établir des
connexions
#iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT

#TOR
#iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT

# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP

# SSH
iptables -A INPUT -p tcp --dport 666 -j DROP
iptables -A OUTPUT -p tcp --dport 666 -j DROP

# DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT

# HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# FTP
#iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
#iptables -A INPUT -p tcp --dport 20:21 -j DROP

# Mail SMTP
#iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 587 -j DROP
#iptables -A OUTPUT -p tcp --dport 587 -j DROP

#Transmission
iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT

# Mail POP3
#iptables -A INPUT -p tcp --dport 110 -j DROP
#iptables -A OUTPUT -p tcp --dport 110 -j DROP

# Mail IMAP
#iptables -A INPUT -p tcp --dport 143 -j DROP
#iptables -A OUTPUT -p tcp --dport 143 -j DROP

# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

# On log les paquets en entrée.
iptables -A INPUT -j LOG

# On log les paquets en sortie.
iptables -A OUTPUT -j LOG

# On log les paquets forward.
iptables -A FORWARD -j LOG

exit 0








share







New contributor




redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    0















    First, i'm sorry for my english, not my first language.



    I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.



    I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...



    What did i do wrong ?



    Thanks in advance !



      #!/bin/bash
    #iptables-restore < /etc/iptables.test.rules

    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    ## On drop les scans XMAS et NULL.
    iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    # Dropper silencieusement tous les paquets broadcastés.
    iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

    # Droping all invalid packets
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP

    # Autorise les connexions déjà établies et localhost
    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    #iptables -A OUTPUT -o lo -j ACCEPT

    # Autorise uniquement les processus de l'utilisateur tor à établir des
    connexions
    #iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT

    #TOR
    #iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT

    # ICMP (Ping)
    iptables -A INPUT -p icmp -j DROP
    iptables -A OUTPUT -p icmp -j DROP

    # SSH
    iptables -A INPUT -p tcp --dport 666 -j DROP
    iptables -A OUTPUT -p tcp --dport 666 -j DROP

    # DNS
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    #iptables -A INPUT -p udp --dport 53 -j ACCEPT

    # HTTP
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    #HTTPS
    iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    # FTP
    #iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
    #iptables -A INPUT -p tcp --dport 20:21 -j DROP

    # Mail SMTP
    #iptables -A INPUT -p tcp --dport 25 -j DROP
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 587 -j DROP
    #iptables -A OUTPUT -p tcp --dport 587 -j DROP

    #Transmission
    iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
    ACCEPT
    iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT

    # Mail POP3
    #iptables -A INPUT -p tcp --dport 110 -j DROP
    #iptables -A OUTPUT -p tcp --dport 110 -j DROP

    # Mail IMAP
    #iptables -A INPUT -p tcp --dport 143 -j DROP
    #iptables -A OUTPUT -p tcp --dport 143 -j DROP

    # NTP (horloge du serveur)
    iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

    # On log les paquets en entrée.
    iptables -A INPUT -j LOG

    # On log les paquets en sortie.
    iptables -A OUTPUT -j LOG

    # On log les paquets forward.
    iptables -A FORWARD -j LOG

    exit 0








    share







    New contributor




    redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      First, i'm sorry for my english, not my first language.



      I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.



      I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...



      What did i do wrong ?



      Thanks in advance !



        #!/bin/bash
      #iptables-restore < /etc/iptables.test.rules

      iptables -F
      iptables -X
      iptables -t nat -F
      iptables -t nat -X
      iptables -t mangle -F
      iptables -t mangle -X
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT DROP

      ## On drop les scans XMAS et NULL.
      iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
      iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
      iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
      iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

      # Dropper silencieusement tous les paquets broadcastés.
      iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

      # Droping all invalid packets
      iptables -A INPUT -m state --state INVALID -j DROP
      iptables -A FORWARD -m state --state INVALID -j DROP
      iptables -A OUTPUT -m state --state INVALID -j DROP

      # Autorise les connexions déjà établies et localhost
      iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
      iptables -A INPUT -i lo -j ACCEPT
      #iptables -A OUTPUT -o lo -j ACCEPT

      # Autorise uniquement les processus de l'utilisateur tor à établir des
      connexions
      #iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT

      #TOR
      #iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
      iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT

      # ICMP (Ping)
      iptables -A INPUT -p icmp -j DROP
      iptables -A OUTPUT -p icmp -j DROP

      # SSH
      iptables -A INPUT -p tcp --dport 666 -j DROP
      iptables -A OUTPUT -p tcp --dport 666 -j DROP

      # DNS
      iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
      iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 53 -j ACCEPT
      #iptables -A INPUT -p udp --dport 53 -j ACCEPT

      # HTTP
      iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 80 -j ACCEPT

      #HTTPS
      iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 443 -j ACCEPT

      # FTP
      #iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
      #iptables -A INPUT -p tcp --dport 20:21 -j DROP

      # Mail SMTP
      #iptables -A INPUT -p tcp --dport 25 -j DROP
      iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 587 -j DROP
      #iptables -A OUTPUT -p tcp --dport 587 -j DROP

      #Transmission
      iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
      ACCEPT
      iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT

      # Mail POP3
      #iptables -A INPUT -p tcp --dport 110 -j DROP
      #iptables -A OUTPUT -p tcp --dport 110 -j DROP

      # Mail IMAP
      #iptables -A INPUT -p tcp --dport 143 -j DROP
      #iptables -A OUTPUT -p tcp --dport 143 -j DROP

      # NTP (horloge du serveur)
      iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

      # On log les paquets en entrée.
      iptables -A INPUT -j LOG

      # On log les paquets en sortie.
      iptables -A OUTPUT -j LOG

      # On log les paquets forward.
      iptables -A FORWARD -j LOG

      exit 0








      share







      New contributor




      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      First, i'm sorry for my english, not my first language.



      I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.



      I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...



      What did i do wrong ?



      Thanks in advance !



        #!/bin/bash
      #iptables-restore < /etc/iptables.test.rules

      iptables -F
      iptables -X
      iptables -t nat -F
      iptables -t nat -X
      iptables -t mangle -F
      iptables -t mangle -X
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT DROP

      ## On drop les scans XMAS et NULL.
      iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
      iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
      iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
      iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

      # Dropper silencieusement tous les paquets broadcastés.
      iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

      # Droping all invalid packets
      iptables -A INPUT -m state --state INVALID -j DROP
      iptables -A FORWARD -m state --state INVALID -j DROP
      iptables -A OUTPUT -m state --state INVALID -j DROP

      # Autorise les connexions déjà établies et localhost
      iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
      iptables -A INPUT -i lo -j ACCEPT
      #iptables -A OUTPUT -o lo -j ACCEPT

      # Autorise uniquement les processus de l'utilisateur tor à établir des
      connexions
      #iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT

      #TOR
      #iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
      iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT

      # ICMP (Ping)
      iptables -A INPUT -p icmp -j DROP
      iptables -A OUTPUT -p icmp -j DROP

      # SSH
      iptables -A INPUT -p tcp --dport 666 -j DROP
      iptables -A OUTPUT -p tcp --dport 666 -j DROP

      # DNS
      iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
      iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 53 -j ACCEPT
      #iptables -A INPUT -p udp --dport 53 -j ACCEPT

      # HTTP
      iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 80 -j ACCEPT

      #HTTPS
      iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 443 -j ACCEPT

      # FTP
      #iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
      #iptables -A INPUT -p tcp --dport 20:21 -j DROP

      # Mail SMTP
      #iptables -A INPUT -p tcp --dport 25 -j DROP
      iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
      #iptables -A INPUT -p tcp --dport 587 -j DROP
      #iptables -A OUTPUT -p tcp --dport 587 -j DROP

      #Transmission
      iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
      ACCEPT
      iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT

      # Mail POP3
      #iptables -A INPUT -p tcp --dport 110 -j DROP
      #iptables -A OUTPUT -p tcp --dport 110 -j DROP

      # Mail IMAP
      #iptables -A INPUT -p tcp --dport 143 -j DROP
      #iptables -A OUTPUT -p tcp --dport 143 -j DROP

      # NTP (horloge du serveur)
      iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

      # On log les paquets en entrée.
      iptables -A INPUT -j LOG

      # On log les paquets en sortie.
      iptables -A OUTPUT -j LOG

      # On log les paquets forward.
      iptables -A FORWARD -j LOG

      exit 0






      security iptables firewall





      share







      New contributor




      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 mins ago









      redravenredraven

      1




      1




      New contributor




      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      redraven is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          redraven is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1137597%2fiptables-configuration%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          redraven is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          redraven is a new contributor. Be nice, and check out our Code of Conduct.













          redraven is a new contributor. Be nice, and check out our Code of Conduct.












          redraven is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1137597%2fiptables-configuration%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          GameSpot

          日野市

          Tu-95轟炸機