Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Resize droplet, CPU & RAM only Question Question
Let's Encrypt subdomain configuration best way Question Question

Question

IPTABLES SCRIPTS NOT WORKING

Posted August 29, 2018 1.7k views
DebianAutomated Setups

I have tried to implement iptables rules using two different bash scripts and both times after I cannot update or upgrade…it just freezes using apt-get update && apt-get upgrade and tried using apt -y update.

The rules are as follows:

!/bin/bash

iptables -F
iptables -X

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A INPUT -m conntrack –ctstate INVALID -j DROP

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

I have also tried these rules:

!/bin/bash

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp -m udp –dport 53 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

Any suggestions welcome please. Just trying to secure it as much as possible

Add a comment
c3686792
By:
c3686792

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Resize droplet, CPU & RAM only Question Question
Let's Encrypt subdomain configuration best way Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
jarland August 29, 2018

Hey friend!

I highly recommend that you custom craft your firewall rules to the platform in question. Check interface names, review the order of execution in the scripts, etc. It is difficult to eyeball iptables mistakes, as it takes more effort to undo one than to make one. In some way, that script you are executing is blocking outbound traffic that is attempting to reach out to the repositories. In that way, you should consider the script to not be functional on the server as-is.

Jarland

Reply Report
WayneSallee August 29, 2018

You will probably find it easier to use ufw. ufw is a firewall program that manages iptables.

Wayne Sallee
Wayne@WayneSallee.com

Reply Report

Related

Looking for something else?

Ask a new question Search for more help