Robert on 29 Nov 2016 06:20:39 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 11/28/2016 11:00 PM, Ed Ackerman wrote:
> # Generated by iptables-save v1.4.7 on Sun Nov 27 16:13:04 2016
> *filter
> :INPUT DROP [0:0]
> -A INPUT -s 11.222.333.444/32 -i eth0 -j ACCEPT
> -A INPUT -s -i eth0 -j ACCEPT
> -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT <-- This one errors I think
> -A INPUT -p ipv6 -j ACCEPT
> -A INPUT -p gre -j ACCEPT
> -A INPUT -p esp -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUT -p udp -m udp --dport 110 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
> -A INPUT -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
> # Completed on Sun Nov 27 16:13:04 2016
> # Generated by webmin
> *mangle
> # Completed

The rule you list as causing the errors is USELESS in a STATELESS setup,
which is what you have configured.  You need a STATEFUL firewall for
this rule to have any meaning.  Without the NEW rules there is nothing
for this rule to do as NEW adds the connection to the tracking DB for
which this rule checks against.  Since you stated that you added it,
simply remove it and you should be back to normal.

Not sure what you are trying to accomplish with /-p ipv6, -p gre or -p
esp/ as I do not recognize what they are used for.  I'm going to assume
you are trying to allow IPv6 and IPTABLES has separate rules for IPv6 in

You might want to consider revamping your rules for modern times.  What
you have above is a STATELESS firewall where a STATEFUL firewall would
be a better choice.  You should also take advantage of IPTABLES module
setup.  I'm not sure what you use this system for but I would question
if you really need all those ports open.




Smile, it increases your face value.........

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --