Hi All, Im using UFW for a long period. But want learn how to do it all in IPtables itself. Below I have accept all ports with UFW: sudo ufw allow in 25/tcp sudo ufw allow in 53/tcp sudo ufw allow in 80/tcp sudo ufw allow in 143/tcp sudo ufw allow in 443/tcp sudo ufw allow in 465/tcp sudo ufw allow in 587/tcp sudo ufw allow in 993/tcp sudo ufw allow in 7045/tcp sudo ufw allow in 8080/tcp sudo ufw allow in 8081/tcp I read lot of articles but not everything is working when I change this to IPtables rules itself. Most of the things working. But emails, dns lookup are not work for example. Below all the lines I add to test and see if everything will work. Still stuck on email (send/receive) and DNS part not work. I know the ordering of the rules are important. I think this is the correct ordering. Do I miss something to let everything work on a clear ISPconfig (automated) installation? I also thing all iptables -A OUTPUT are not needed because I have OUTPUT ACCEPT in 3rd line? (as I say, I read lot of articles. So maybe some parts are not needed at all) iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT iptables -A INPUT -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 3000 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 7045 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 7045 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 8081 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -N LOGINPUT iptables -A INPUT -j LOGINPUT iptables -A LOGINPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables input Dropped: " --log-level 7 iptables -A LOGINPUT -j DROP iptables -N LOGOUTPUT iptables -A OUTPUT -j LOGOUTPUT iptables -A LOGOUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables output Dropped: " --log-level 7 iptables -A LOGOUTPUT -j DROP
Code: iptables -P OUTPUT ACCEPT I also thing all iptables -A OUTPUT are not needed because I have OUTPUT ACCEPT in 3rd line? no. that -P is to set the default policy for that chain if no other rules are already matched. you could (most likely will) have specific block rules you'll want to match against before this.. you could have different chains.. you can have different ip block sets, with different rules applied to them.. with prerouting, postrouting, mangle, forward, and different tables such as NAT... iptables can get very complicated, very quickly. it can be a whole different level of crazy.. ufw is a frontend to iptables.. and a damn sight simpler to use.. if you configure your rules in ufw, they're still set in iptables / netfilter.. you'll see all those rules you created using ufw if you run Code: iptables -L -n -v and don't forget, if you get everything configured using iptables directly. you'll need to do it all again in ip6tables. and install and run iptables-persistent if you want to save the rules you've configured and use them after your next reboot. also you say some things aren't working when you configure using iptables, eg, you show for dns 53/tcp.. but what about udp? DNS uses TCP for Zone transfer and UDP for name, and queries either regular (primary) or reverse.
Thanks for the reply and all information. It's for my own VPS server. Website and Email. So no difficult things. i have added rule for DNS udp: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT and you mean with iptables -P OUTPUT ACCEPT that because of -P I need add all the OUTPUT rules? Otherwise when there are no rules there is nothing to accept?
no, i mean -P sets the default policy for when no rules are matched.. if you're not going to try to block anything then that may be all you need. but you'd need to go through everything thoroughly.. are you applying any pre-routing / post-routing to any output.. exactly what order are things being applied in.. it's very easy to end up actually allowing something that you thought was being blocked. also.. for dns in. set the dport, not the source port.. ie, specify the port your service is listening on.. you won't know what source port is going to be used.. and for dns out, set the sport.
eimm sounds very complicated.... and that just for 2 websites and email (personal use) Its fun to learn a lot, but didn't know it was this difficult... Thanks let me think about it if I proceed my plans
Now checked more articles and have those rules now. Everything seems to work: Code: iptables -F iptables -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -I OUTPUT -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 25,465,587,993,7045,8080,8081 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 25,80,443,465,587,993,7045,8080,8081 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -N LOGINPUT iptables -A INPUT -j LOGINPUT iptables -A LOGINPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables input Dropped: " --log-level 7 iptables -A LOGINPUT -j DROP iptables -N LOGOUTPUT iptables -A OUTPUT -j LOGOUTPUT iptables -A LOGOUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables output Dropped: " --log-level 7 iptables -A LOGOUTPUT -j DROP Code: Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT all -- anywhere anywhere 3 ACCEPT tcp -- anywhere anywhere multiport dports http,https limit: avg 25/min burst 100 4 ACCEPT tcp -- anywhere anywhere multiport dports smtp,submissions,submission,imaps,7045,http-alt,tproxy 5 ACCEPT icmp -- anywhere anywhere icmp echo-request 6 ACCEPT icmp -- anywhere anywhere icmp echo-reply 7 LOGINPUT all -- anywhere anywhere Chain FORWARD (policy DROP) num target prot opt source destination Chain OUTPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- anywhere anywhere 3 ACCEPT tcp -- anywhere anywhere multiport dports smtp,http,https,submissions,submission,imaps,7045,http-alt,tproxy 4 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 5 ACCEPT udp -- anywhere anywhere udp dpt:domain 6 ACCEPT icmp -- anywhere anywhere icmp echo-request 7 ACCEPT icmp -- anywhere anywhere icmp echo-reply 8 LOGOUTPUT all -- anywhere anywhere Chain LOGINPUT (1 references) num target prot opt source destination 1 LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables input Dropped: " 2 DROP all -- anywhere anywhere Chain LOGOUTPUT (1 references) num target prot opt source destination 1 LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables output Dropped: " 2 DROP all -- anywhere anywhere