Robert on 29 Nov 2016 06:20:39 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] IPTABLES CentOS 6.8 |
On 11/28/2016 11:00 PM, Ed Ackerman wrote: > # Generated by iptables-save v1.4.7 on Sun Nov 27 16:13:04 2016 > *filter > :FORWARD ACCEPT [0:0] > :INPUT DROP [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -s 11.222.333.444/32 -i eth0 -j ACCEPT > -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT > -A INPUT -s 127.0.0.1/32 -j ACCEPT > -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT <-- This one errors I think > -A INPUT -p ipv6 -j ACCEPT > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -p udp -m udp --dport 68 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT > -A INPUT -p udp -m udp --dport 110 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 123 -j ACCEPT > -A INPUT -p udp -m udp --dport 123 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT > COMMIT > # Completed on Sun Nov 27 16:13:04 2016 > # Generated by webmin > *mangle > :FORWARD ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > COMMIT > # Completed The rule you list as causing the errors is USELESS in a STATELESS setup, which is what you have configured. You need a STATEFUL firewall for this rule to have any meaning. Without the NEW rules there is nothing for this rule to do as NEW adds the connection to the tracking DB for which this rule checks against. Since you stated that you added it, simply remove it and you should be back to normal. Not sure what you are trying to accomplish with /-p ipv6, -p gre or -p esp/ as I do not recognize what they are used for. I'm going to assume you are trying to allow IPv6 and IPTABLES has separate rules for IPv6 in IP6TABLES. You might want to consider revamping your rules for modern times. What you have above is a STATELESS firewall where a STATEFUL firewall would be a better choice. You should also take advantage of IPTABLES module setup. I'm not sure what you use this system for but I would question if you really need all those ports open. -- Regards, Robert Smile, it increases your face value......... ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug