Question

IPTABLES SCRIPTS NOT WORKING

Posted August 29, 2018 1.3k views
DebianAutomated Setups

I have tried to implement iptables rules using two different bash scripts and both times after I cannot update or upgrade…it just freezes using apt-get update && apt-get upgrade and tried using apt -y update.

The rules are as follows:

!/bin/bash

iptables -F
iptables -X

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A INPUT -m conntrack –ctstate INVALID -j DROP

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

I have also tried these rules:

!/bin/bash

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp -m udp –dport 53 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

Any suggestions welcome please. Just trying to secure it as much as possible

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hey friend!

I highly recommend that you custom craft your firewall rules to the platform in question. Check interface names, review the order of execution in the scripts, etc. It is difficult to eyeball iptables mistakes, as it takes more effort to undo one than to make one. In some way, that script you are executing is blocking outbound traffic that is attempting to reach out to the repositories. In that way, you should consider the script to not be functional on the server as-is.

Jarland

You will probably find it easier to use ufw. ufw is a firewall program that manages iptables.

Wayne Sallee
Wayne@WayneSallee.com

Submit an Answer