IPTABLES SCRIPTS NOT WORKING

August 29, 2018 827 views
Automated Setups Debian

I have tried to implement iptables rules using two different bash scripts and both times after I cannot update or upgrade…it just freezes using apt-get update && apt-get upgrade and tried using apt -y update.

The rules are as follows:

!/bin/bash

iptables -F
iptables -X

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A INPUT -m conntrack –ctstate INVALID -j DROP

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

I have also tried these rules:

!/bin/bash

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp -m udp –dport 53 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

Any suggestions welcome please. Just trying to secure it as much as possible

4 Answers

Hey friend!

I highly recommend that you custom craft your firewall rules to the platform in question. Check interface names, review the order of execution in the scripts, etc. It is difficult to eyeball iptables mistakes, as it takes more effort to undo one than to make one. In some way, that script you are executing is blocking outbound traffic that is attempting to reach out to the repositories. In that way, you should consider the script to not be functional on the server as-is.

Jarland

You will probably find it easier to use ufw. ufw is a firewall program that manages iptables.

Wayne Sallee
Wayne@WayneSallee.com

khosim.com chúng tôi chuyên cung cấp các loại sim số đẹp giá rẻ nhất thị trường, quý khách hãy truy cập ngay https://khosim.com để chọn cho mình 1 số sim của tất cả các nhà mạng nhé

Mỹ thuật Trần Vương nhận vẽ tranh tường theo yêu cầu. Truy cập website: http://mythuattranvuong.com để xem qua các mẫu tranh tường đẹp nhất hiện nay nhé.

Have another answer? Share your knowledge.