Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last month.
Improve this question
I have this bash script configuring iptables with rules allowing input and output on port 22 and i cant connect on ssh (ssh is configured on port 22 on the server).
I first flush rules, then set default policy to drop, then drop icmp request, then drop xmas and null scan, drop broadcast, allow open connection to receive packets, accept local loop, accept incoming traffic on specified ports, then allow outgoing traffic with specified rules...
#/bin/bash
set -ex
# Flush all existing rules, chains, and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# create table
# Not necessary in iptables
# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
# Drop all incoming ipv6 traffic
#iptables -A INPUT -p ipv6 -j DROP
# Drop all outgoing ipv6 traffic
#iptables -A OUTPUT -p ipv6 -j DROP
# Drop all forwarded ipv6 traffic
#iptables -A FORWARD -p ipv6 -j DROP
############### INPUT chain
## On drop les requêtes ICMP (votre machine ne répondra plus aux requêtes ping sur votre réseau local).
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
## On accepte le Multicast.
#iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
## On drop les scans XMAS et NULL.
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
## Permettre à une connexion ouverte de recevoir du trafic en entrée.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
## On accepte la boucle locale en entrée.
iptables -I INPUT -i lo -j ACCEPT
#Server rules
iptables -A INPUT -p tcp -m tcp --sport 22 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 80 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 8080 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 443 -i enp53s0 -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -i enp53s0 -j DROP
## On log les paquets en entrée.
iptables -A INPUT -j LOG
############### OUTPUT chain
# Allow outgoing traffic on the loopback interface
iptables -A OUTPUT -o lo -j ACCEPT
## Permettre à une connexion ouverte de recevoir du trafic en sortie.
iptables -A OUTPUT -m conntrack ! --ctstate INVALID -j ACCEPT
# allow outgoing connection for dns requests, time synchro on enp53s0 interface
iptables -A OUTPUT -p udp -m udp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -o enp53s0 -j ACCEPT
# allow connections on source and destination specific ports on enp53s0 interface
iptables -A OUTPUT -p tcp -m tcp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8080 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -o enp53s0 -j ACCEPT
# allow ping in output chain
iptables -A OUTPUT -p icmp --icmp-type echo-request -o enp53s0 -j ACCEPT
What am i missing?
Thank you
In the input chain, under #Server rules, you probably need to change --sport 22 to --dport 22. Similarly for the others.
I would like to deny any connection from my vps to other vps/ip/port via sshd.(443)
I tried using iptables and firewall rules, seems that still nothing worked.
iptables -A INPUT -s 1.1.1.1 -j DROP ;
iptables -A FORWARD -s 1.1.1.1 -j DROP ;
iptables -A OUTPUT -s 1.1.1.1 -j DROP ;
iptables -A INPUT -p tcp -s 1.1.1.1 --dport 443 -j REJECT --reject-with tcp-reset ;
iptables -A OUTPUT -p tcp -s 1.1.1.1 --dport 443 -j REJECT --reject-with tcp-reset ;
iptables -A FORWARD -p tcp -s 1.1.1.1 --dport 443 -j REJECT --reject-with tcp-reset ;
iptables -I INPUT -s 1.1.1.1 -p tcp --dport 443 -j REJECT ;
iptables -I OUTPUT -s 1.1.1.1 -p tcp --dport 443 -j REJECT ;
iptables -I FORWARD -s 1.1.1.1 -p tcp --dport 443 -j REJECT ;
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 1.1.1.1 -p tcp --dport 22 -j REJECT ;
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -m tcp --source 1.1.1.1 -p tcp --dport 22 -j REJECT ;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -m tcp --source 1.1.1.1 -p tcp --dport 22 -j REJECT ;
If you are on a distro that has UFW such as Ubuntu, blocking outbound connections can be easily done with the 3 commands below. What's more, this will survive reboot, unlike any iptables commands, which need iptables-save or other tool to re-apply the iptables settings after reboot.
You didn't mention other outbound connections. The commands below block all outbound connections (but not outbound traffic for a connection that it is initiated from the outside).
sudo ufw enable
sudo ufw default allow incoming # allow inbound connections
sudo ufw default deny outgoing
To temporarily allow outbound connections, e.g. to download software updates:
sudo ufw default allow outgoing
# run your update here
sudo ufw default deny outgoing
Without iptables rules I am able to mount my NFSSERVER:/PATH but with it(firewall/iptables) enabled I am not able to mount.
[.e.g., after iptables --flush/ firewaalld stop ; mount NFSSERVER:/Path works ]
I am not supposed to disable/clear the firewall/iptables but I am allowed to open a port. What is the rule that I need to add to open up the port/mount?
Current default policy is DROP all INCOMING/OUTGOING/FORWARD and there are couple of rules to allow wget from external 80 port etc.,
adding the NFS Server port didnt help.
iptables -A OUTPUT -p tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j ACCEPT
Thanks.
PS: This is for nfs client not NFS server machine.
If all you need is NFS version 4 (which is already over 10 years old), you don't need to go to all of the effort described in #Sathish's answer. Just make sure TCP port 2049 is open the server's firewall, and that the client's firewall allows outbound traffic to port 2049 on the server.
CentOS 5 (also old) has a nice explanation of why NFSv4 is more firewall friendly than v3 and v2.
NFS SERVER:
Configure Ports for rquotd(875/udp; 875/tcp), lockd(32803/tcp; 32769/udp), mountd(892/udp; 892/tcp), statd(10053/udp; 10053/tcp), statd_outgoing(10054/udp; 10054/tcp)
vim /etc/sysconfig/nfs
If desired, disable NFS v3 and NFS v2 suport by editing lines 5 & 6 of /etc/sysconfig/nfs
MOUNTD_NFS_V2="no"
MOUNTD_NFS_V3="no"
Save current Iptables rules for later use. (if iptables-save is absent in your distribution, you may try iptables -S filename )
iptables-save > pre-nfs-firewall-rules-server
Flush and check Iptables rules
iptables -F
iptables -L
Stop and Start NFS and related Services in the following sequence
service rpcbind stop
service nfslock stop
service nfs stop
service rpcbind start
service nfslock start
service nfs start
Make sure the configured NFS and its associated ports shows as set before and notedown the port numbers and the OSI layer 4 protcols. The standard port numbers for rpcbind (or portmapper) are 111/udp, 111/tcp and nfs are 2049/udp, 2049/tcp.
rpcinfo -p | sort -k 3
Restore the pre-nfs-firewall-rules now
iptables-restore < pre-nfs-firewall-rules-server
Write iptables rules for NFS server (Note: Loopback adapter has to allowed, else you will see packets dropped and also when you restart nfs service, it will spit ERROR {Starting NFS quotas: Cannot register service: RPC: Timed out rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED]} for rquotad daemon. You can check this by adding a rule with LOG jump target at the bottom of INPUT or OUTPUT chains of filter table)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -L -n --line-numbers
Configure NFS exports directory
vim /etc/exports
exportfs -av
showmount -e
rpcinfo -p
Stop and Start NFS and related Services in the following sequence
service rpcbind stop
service nfslock stop
service nfs stop
service rpcbind start
service nfslock start
service nfs start
NFS CLIENT:
Save current Iptables rules for later use. (if iptables-save is absent in your distribution, you may try iptables -S filename )
iptables-save > pre-nfs-firewall-rules-client
Flush and check Iptables rules
iptables -F
iptables -L
Obtain the firewalled NFS Server ports from the client machine and notedown the port numbers and the OSI layer 4 protcols.
rpcinfo -p 'ip-addr-nfs-server' | sort -k 3
Restore the pre-nfs-firewall-rules now
iptables-restore < pre-nfs-firewall-rules-client
Write iptables rules for NFS client (Note: Loopback adapter has to allowed, else you will see packets dropped and also when you restart nfs service, it will spit ERROR {Starting NFS quotas: Cannot register service: RPC: Timed out rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED]} for rquotad daemon. You can check this by adding a rule with LOG jump target at the bottom of INPUT or OUTPUT chains of filter table)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -L -n --line-numbers
Stop and Start NFS and related Services in the following sequence
service rpcbind stop
service nfslock stop
service nfs stop
service rpcbind start
service nfslock start
service nfs start
List NFS Server exports
showmount -e 'ip-addr-nfs-server'
Mount NFS Exports manually (persistent mounts can be configured using /etc/fstab)
mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw,nfsvers=3
mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw --> For NFS4 version
Configure autofs, if automounting is preferred for nfs exports and with ldap user home directories (Direct and Indirect Maps can be set)
vim /etc/auto.master -> specify the mount point and map-name (Eg: auto.nfs)
vim /etc/map-name
service autofs stop
service autofs start
Check mounted NFS Exports
df -h -F nfs
mount | grep nfs
List all pseudo root NFS-V4 export directories (NFS Lazy mount)
ls /net/ip-addr-nfs-server
My centos server has an iptables rule.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
this code is doing the work like firewall but I don't want to block of my server ips.
my server ips:
"127.0.0.1", "my server ip1", "my server ip2", etc.
How do I get them out of this ip tables rule?
Thank you very much!
Just use :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -j ACCEPT
Note that this will open everything for SERVER_IPs. YMMV depending on want you want to allow.
For instance, if you just want to open HTTP port for those IPs :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -p tcp --dport 80 -j ACCEPT
I have a machine with 2 interfaces:
eth0 inet addr:1.1.1.1
eth1 inet addr:2.2.2.2
eth0 is a server, eth1 is the network on virtual machine.
I have ssh on server, so 1.1.1.1:22 is busy.
I need a rule for redirecting incoming connections on eth0 port 6000 to eth1, ip 2.2.2.100 on port 22 (virtual machine ip).
In this mode if I did, on an external machine,
ssh -p 6000 root#1.1.1.1
I would login on the virtual machine.
I tried this rule but it didn't work:
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6000 -j DNAT --to 2.2.2.100:22
Well there are like 1 million scripts/tutorials/things for this case, but if someone lands from google to here is something like this:
iptables -I FORWARD -d 2.2.2.2 -m comment --comment "Accept to forward ssh traffic" -m tcp -p tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m comment --comment "Accept to forward ssh return traffic" -s 2.2.2.2 -m tcp -p tcp --sport 22 -j ACCEPT
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 60000 -m comment --comment "redirect pkts to virtual machine" -j DNAT --to-destination 2.2.2.2:22
iptables -t nat -I POSTROUTING -m comment --comment "NAT the src ip" -d 2.2.2.2 -o eth1 -j MASQUERADE