Question

IPTABLES SCRIPTS NOT WORKING

I have tried to implement iptables rules using two different bash scripts and both times after I cannot update or upgrade…it just freezes using apt-get update && apt-get upgrade and tried using apt -y update.

The rules are as follows:

#!/bin/bash

iptables -F iptables -X

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -i eth0 -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

I have also tried these rules: #!/bin/bash

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

ip6tables -P INPUT DROP

ip6tables -P FORWARD DROP

ip6tables -P OUTPUT DROP

Any suggestions welcome please. Just trying to secure it as much as possible


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

You will probably find it easier to use ufw. ufw is a firewall program that manages iptables.

Wayne Sallee Wayne@WayneSallee.com

Hey friend!

I highly recommend that you custom craft your firewall rules to the platform in question. Check interface names, review the order of execution in the scripts, etc. It is difficult to eyeball iptables mistakes, as it takes more effort to undo one than to make one. In some way, that script you are executing is blocking outbound traffic that is attempting to reach out to the repositories. In that way, you should consider the script to not be functional on the server as-is.

Jarland