I have the following iptables basically borrowed from
http://www.sns.ias.edu/~jns/security/iptables/rules.html
but I need to open up access to a web site running with Tomcat and Apache.
I tried to modify it (in bold) below to open up access to my web site but I am locked out.
Thanks for any help.
Larry Nobs
##
#!/bin/bash
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
IFACE="eth0"
IPADDR="192.168.0.10"
NAMESERVER_1="151.164.14.201"
NAMESERVER_2="151.164.1.8"
BROADCAST="192.168.0.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${interface}
done
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
iptables -N icmp-in
iptables -N icmp-out
iptables -A INPUT -i $IFACE -p icmp -j icmp-in
iptables -A OUTPUT -o $IFACE -p icmp -j icmp-out
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 0 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 3 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 4 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 11 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 12 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 14 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 16 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 18 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 4 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 8 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 12 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 13 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 15 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 17 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-in -i $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-IN:"
iptables -A icmp-in -i $IFACE -j DROP
iptables -A icmp-out -o $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-OUT:"
iptables -A icmp-out -o $IFACE -j DROP
iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $IFACE -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IFACE -p udp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp --dport 80 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 8080 -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i $IFACE -p udp --sport 8080 -j ACCEPT
iptables -A OUTPUT -o $IFACE -p udp --dport 8080 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UPD-IN:"
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UPD-OUT:"
iptables -A OUTPUT -o $IFACE -p udp -j DROP
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN:"
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT:"
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN:"
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT:"
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN:"
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT:"
iptables -A OUTPUT -o $IFACE -j DROP
- Re: SendMail GUI Rodolfo J. Paiz
- Re: SendMail GUI Edward Croft
- Re: SendMail GUI Ed Wilts
- Kickstart Marcel . Stegehuis
- Re: SendMail GUI Rodolfo J. Paiz
- Re: SendMail GUI Rodolfo J. Paiz
- RE: SendMail GUI Rodolfo J. Paiz
- bad argument modprobe when run from sc... lrnobs
- Re: bad argument modprobe when ru... Edward Dekkers
- Re: bad argument modprobe whe... lrnobs
- Re: Iptables denies access to... lrnobs
- Re: Iptables denies access to... Jack Bowling
- Re: Iptables denies access to... lrnobs
- Re: Iptables denies access to... Jack Bowling
- Re: Iptables denies access to... lrnobs
- Re: Iptables denies access to... Jack Bowling
- Re: Iptables denies access to... lrnobs
- Re: bad argument modprobe when ru... Benjamin J. Weiss
- RE: SendMail GUI Donald Tyler
- Re: SendMail GUI John Nichel
- Re: SendMail GUI Eric Wood
