iptables not blocking ports
For some reason, iptables isn’t blocking ports on a droplet, when the exact same rules work fine on a VirtualBox VM. The output from
iptables -S is:
root@public:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -j DROP
This is modelled exactly on the tutorial at https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04, with a small change to the
conntrack line due to Ansible’s iptables module kind of doing that whether I liked it or not.
But that’s not a helpful explanation, since the behaviour of the exact same rule set on Debian 8 is so very different.
Any ideas why this doesn’t block on a droplet, i.e., even with these iptables in place, a telnet command to port 554 will connect.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.