I have tried to implement iptables rules using two different bash scripts and both times after I cannot update or upgrade…it just freezes using apt-get update && apt-get upgrade and tried using apt -y update.
The rules are as follows:
#!/bin/bash
iptables -F iptables -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
I have also tried these rules: #!/bin/bash
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
Any suggestions welcome please. Just trying to secure it as much as possible
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
You will probably find it easier to use ufw. ufw is a firewall program that manages iptables.
Wayne Sallee Wayne@WayneSallee.com
Hey friend!
I highly recommend that you custom craft your firewall rules to the platform in question. Check interface names, review the order of execution in the scripts, etc. It is difficult to eyeball iptables mistakes, as it takes more effort to undo one than to make one. In some way, that script you are executing is blocking outbound traffic that is attempting to reach out to the repositories. In that way, you should consider the script to not be functional on the server as-is.
Jarland