Whith this rules I can't use wget to an external address or send emails through an external SMTP server:
#!/bin/bash
# Flush all current rules from iptables
iptables -F
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save settings
/sbin/service iptables save
But if I add this, it works:
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
Shouldn't the following rule allow any incoming connection originated by a previous request?
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
EDIT: when I run the script I get 2 errors:
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
I'm using CentOS 5.5 and iptables 1.3.5. Digging more I have found that there is a bug in this version: http://bugs.centos.org/view.php?id=3632 Can this be the cause of the problem?
EDIT 2: if I run demsg I get the same message repeated:
ip_tables: udp match: only valid for protocol 17
EDIT 3: Running iptables -L INPUT -v -n after a successfull wget shows:
# iptables -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31 2020 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
4 938 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
12 11439 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
EDIT 4: Running sh -x script shows:
# sh -x firewall.conf
+ iptables -F
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ iptables -P OUTPUT ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
+ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
+ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
+ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+ /sbin/service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Best Answer
you dont have any rules in the OUTPUT chain and the default policy for it is DROP, so the initial tcp packets sent by your system when you try to open http or smtp connection get dropped. You need to add rules like these to permit outbound http and smtp for wget and email:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
you can consolidate them into one rule using multiport:
iptables -A OUTPUT -p tcp -m multiport --dports 25,80 -m state --state NEW -j ACCEPT