Linux – wget blocked by iptables in CentOS 5.5 and iptables 1.3.5

firewalliptableslinux

Whith this rules I can't use wget to an external address or send emails through an external SMTP server:

#!/bin/bash

# Flush all current rules from iptables
iptables -F

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save settings
/sbin/service iptables save

But if I add this, it works:

iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT

Shouldn't the following rule allow any incoming connection originated by a previous request?

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

EDIT: when I run the script I get 2 errors:

iptables: Unknown error 4294967295
iptables: Unknown error 4294967295

I'm using CentOS 5.5 and iptables 1.3.5. Digging more I have found that there is a bug in this version: http://bugs.centos.org/view.php?id=3632 Can this be the cause of the problem?

EDIT 2: if I run demsg I get the same message repeated:

ip_tables: udp match: only valid for protocol 17

EDIT 3: Running iptables -L INPUT -v -n after a successfull wget shows:

# iptables -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   31  2020 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    4   938 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53
   12 11439 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80

EDIT 4: Running sh -x script shows:

 # sh -x firewall.conf
+ iptables -F
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ iptables -P OUTPUT ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
+ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
+ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295
+ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+ /sbin/service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Best Answer

you dont have any rules in the OUTPUT chain and the default policy for it is DROP, so the initial tcp packets sent by your system when you try to open http or smtp connection get dropped. You need to add rules like these to permit outbound http and smtp for wget and email:

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

you can consolidate them into one rule using multiport:

iptables -A OUTPUT -p tcp -m multiport --dports 25,80 -m state --state NEW -j ACCEPT

Related Topic