Fedora 17, iptables and ip6tables not allowing connections to running services

David Mehler dave.mehler at gmail.com
Mon Feb 18 06:31:27 UTC 2013


Hello,

I've got a Linode vps. It is running a new installation of Fedora 17.
I'm a new Fedora 17 user, but have used other Rpm distros in the past,
though the switch to systemctl threw me for a loop.

I'm having an issue with both iptables and ip6tables not allowing
incoming connections to running services. I have httpd running on this
machine, ssh-ing in to the box itself, I can telnet localhost 80 both
ipv4 and ipv6 and it will connect. External telnetting hangs as if I
have no running service. An nmap scan from an external host does not
show port 80 at all, not open, not filtered, not there whatsoever. A
netstat on the box as well as a ps on the box both confirm that the
httpd daemon is started and listening. If I turn off iptables and then
do the nmap scan port 80 shows up as being open, telnetting also
works. This is also true when turning off ip6tables.

I have pasted below my /etc/sysconfig/iptables and
/etc/sysconfig/ip6tables as well as the two scripts I used to make
them. These scripts and the firewall did work previously on a rhel
box. I'd appreciate any suggestions, I want a firewall working on this
box.

Thanks.
Dave.

# Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013
*security
:INPUT ACCEPT [310022:318693688]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [164768:7899587]
COMMIT
# Completed on Sun Feb 17 14:37:29 2013
# Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013
*raw
:PREROUTING ACCEPT [310149:318700172]
:OUTPUT ACCEPT [164768:7899587]
COMMIT
# Completed on Sun Feb 17 14:37:29 2013
# Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013
*nat
:PREROUTING ACCEPT [132:6736]
:INPUT ACCEPT [8:380]
:OUTPUT ACCEPT [75:6221]
:POSTROUTING ACCEPT [75:6221]
COMMIT
# Completed on Sun Feb 17 14:37:29 2013
# Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013
*mangle
:PREROUTING ACCEPT [310149:318700172]
:INPUT ACCEPT [310149:318700172]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [164768:7899587]
:POSTROUTING ACCEPT [164768:7899587]
COMMIT
# Completed on Sun Feb 17 14:37:29 2013
# Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack
--ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 587 -j ACCEPT
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT
COMMIT
# Completed on Sun Feb 17 14:37:29 2013

# Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013
*nat
:PREROUTING ACCEPT [21:1680]
:INPUT ACCEPT [21:1680]
:OUTPUT ACCEPT [2:160]
:POSTROUTING ACCEPT [2:160]
COMMIT
# Completed on Sun Feb 17 22:08:15 2013
# Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013
*security
:INPUT ACCEPT [440:43192]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93:6508]
COMMIT
# Completed on Sun Feb 17 22:08:15 2013
# Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013
*raw
:PREROUTING ACCEPT [440:43192]
:OUTPUT ACCEPT [93:6508]
COMMIT
# Completed on Sun Feb 17 22:08:15 2013
# Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013
*mangle
:PREROUTING ACCEPT [440:43192]
:INPUT ACCEPT [440:43192]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93:6508]
:POSTROUTING ACCEPT [93:6508]
COMMIT
# Completed on Sun Feb 17 22:08:15 2013
# Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 8 -m conntrack --ctstate
NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack
--ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 587 -j ACCEPT
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT
COMMIT
# Completed on Sun Feb 17 22:08:15 2013

#!/bin/bash
#

# First set up the UDP and TCP chains:
iptables -N TCP
iptables -N UDP

# Since we're not a nat box or router set the FORWARD chain to DROP:
iptables -P FORWARD DROP

# Set the OUTPUT chain to ACCEPT:
iptables -P OUTPUT ACCEPT

# Set the INPUT chain to DROP:
iptables -P INPUT DROP

# Set a rule for established connections or returning icmp messages:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Let everything through on loopback:
iptables -A INPUT -i lo -j ACCEPT

# Stop out of sequence or invalid packets:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept ping:
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Append the open chain and accept or reject packets:
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# Reject connections with port unreachable or tcp rst:
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst

# Reject anything else with icmp unreachable:
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

# Now open ports for services:
iptables -A TCP -p tcp --dport 22 -j ACCEPT
iptables -A TCP -p tcp --dport 25 -j ACCEPT
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT
iptables -A TCP -p tcp --dport 587 -j ACCEPT
iptables -A TCP -p tcp --dport 993 -j ACCEPT

#
# Save settings
#
/usr/libexec/iptables.init save
#
# List rules
#
 iptables -L -v

#!/bin/bash
#

# First set up the UDP and TCP chains:
ip6tables -N TCP
ip6tables -N UDP

# Since we're not a nat box or router set the FORWARD chain to DROP:
ip6tables -P FORWARD DROP

# Set the OUTPUT chain to ACCEPT:
ip6tables -P OUTPUT ACCEPT

# Set the INPUT chain to DROP:
ip6tables -P INPUT DROP

# Disable processing of any RH0 packet
# Which could allow a ping-pong of packets
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

# Set a rule for established connections or returning icmp messages:
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Let everything through on loopback:
ip6tables -A INPUT -i lo -j ACCEPT

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT

# Stop out of sequence or invalid packets:
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept ping:
ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate
NEW -j ACCEPT
#ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate
NEW -j ACCEPT

# Append the open chain and accept or reject packets:
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# Reject connections with port unreachable or tcp rst:
ip6tables -A INPUT -p udp -j REJECT
ip6tables -A INPUT -p tcp -j REJECT

# Reject anything else with icmp unreachable:
ip6tables -A INPUT -j REJECT

# Now open ports for services:
ip6tables -A TCP -p tcp --dport 22 -j ACCEPT
ip6tables -A TCP -p tcp --dport 25 -j ACCEPT
ip6tables -A TCP -p tcp --dport 80 -j ACCEPT
ip6tables -A TCP -p tcp --dport 443 -j ACCEPT
ip6tables -A TCP -p tcp --dport 587 -j ACCEPT
ip6tables -A TCP -p tcp --dport 993 -j ACCEPT

#
# Save settings
#
 /usr/libexec/ip6tables.init save
#
# List rules
#
 ip6tables -L -v


More information about the users mailing list