8

I'm following this guide here: https://web.archive.org/web/20130629015349/https://isalazyadmin.net/2009/07/02/configuring-a-basic-firewall-for-debian-linux/

And I have the iptables listed shown, but my server still appears to be accepting all incoming connections (ie: bittorrent peers are still connecting, even though I didn't allow those ports).

/etc/iptables.rules:

*filter # This will allow all loopback (lo0) traffic and drop all traffic to 127/8 # that does not use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # This accepts all already established connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # This allows all outbound traffic -A OUTPUT -j ACCEPT # This will allow HTTP and HTTPS connections from anywhere, this are the normal # ports used for a web server -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow bittorrent/rtorrent ports, from ~/.rtorrent.rc ## -A INPUT -p tcp --dport 8071:8079 -j ACCEPT # Allow ICMP ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Reject all other inbound traffic -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT

When I run iptables -L after a reboot, I still get this as my first rule:

iptables -L

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

Not sure where this is coming from.

Here is the full list:

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

Here is the output of iptables-save:

# Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013 *raw :PREROUTING ACCEPT [6701:942626] :OUTPUT ACCEPT [8927:989420] COMMIT # Completed on Fri Jan 11 09:54:19 2013 # Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013 *nat :PREROUTING ACCEPT [3281:284415] :INPUT ACCEPT [9:720] :OUTPUT ACCEPT [1758:148908] :POSTROUTING ACCEPT [1758:148908] COMMIT # Completed on Fri Jan 11 09:54:19 2013 # Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013 *mangle :PREROUTING ACCEPT [6701:942626] :INPUT ACCEPT [6701:942626] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8928:989684] :POSTROUTING ACCEPT [8928:989684] COMMIT # Completed on Fri Jan 11 09:54:19 2013 # Generated by iptables-save v1.4.8 on Fri Jan 11 09:54:19 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT # Completed on Fri Jan 11 09:54:19 2013

Here is the iptables -vL output:

$ sudo iptables -vL [sudo] password for ettinger: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 8303 1206K ACCEPT all -- lo any anywhere anywhere 0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable 12M 7191M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 18 980 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 7 344 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 379 22728 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 18316 1110K ACCEPT tcp -- any any anywhere anywhere tcp dpts:8071:8079 120K 15M ACCEPT udp -- any any anywhere anywhere udp dpt:6881 24809 1489K ACCEPT tcp -- any any anywhere anywhere tcp dpt:9001 688 35244 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9030 874 73072 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 12705 871K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 14M 12G ACCEPT all -- any any anywhere anywhere
Improve this question
6
  • Haven't you noticed your first INPUT rule ACCEPT all -- anywhere anywhere? Commented Jan 11, 2013 at 9:48
  • 1
    It seems that rules aren't loaded at boot time. Make sure that you added "pre-up iptables-restore < /etc/iptables.rules" line to your /etc/network/interfaces file (as author of tutorial suggests) Commented Jan 11, 2013 at 9:53
  • 1
    @ott : it concerns lo inteface only, so it's ok Commented Jan 11, 2013 at 9:54
  • 2
    Can you redo your listing with iptables -vL? Commented Jan 11, 2013 at 9:58
  • Your rules and your post boot state actually do match up, that is not the problem -- see my answer ;) Commented Jan 11, 2013 at 12:37

3 Answers 3

Reset to default
17

The line you are worried about:

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

is actually because of this in your rules:

-A INPUT -i lo -j ACCEPT

Notice the interface is explicit in the rule, but not in the -L output. Move that rule to the middle of the list, use iptables-restore and notice the "ACCEPT all -- anywhere" has moved down too. Now try changing the rule a bit:

-A INPUT -i lo -s 127.0.0.1 -j ACCEPT

and the -L output will become:

target prot opt source destination ACCEPT all -- localhost.localdomain anywhere

"localhost.localdomain" will be your 127.0.0.1 hostname from /etc/hosts. This at least makes it clearer where that rule came from.

You can also see more detailed information including the interfaces with iptables -vL.

BTW, you may want to start your rules:

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]

Drop everything by default as a fall through for safety. This is considered bad manners, however (see the link in Gilles comment below), so you may want to create a final catch all for each table which uses -j REJECT --reject-with icmp-net-prohibited.

Improve this answer
4
  • 4
    FYI, iptables -vL will show the full rule, including the interface. So it'll eliminate confusion like this. Commented Jan 11, 2013 at 16:21
  • Thanks @derobert -- I had forgotten about that display. Will edit this into the answer! Commented Jan 11, 2013 at 16:28
  • 2
    Regarding dropping everything by default: Reject IP packets with an ICMP error, or just drop them? Commented Jan 11, 2013 at 22:50
  • @derobert +1 on -v switch. My firewall rules don't look as bad as I thought :) Commented Nov 17, 2016 at 16:21
1

Just as a matter of completeness, in order to avoid this problem in future use the -v verbose command line option when displaying the table. As thus:

iptables -Lv

The output should now include the interface it affects in the "in" and "out" columns:

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 151 13073 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 126 33414 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Improve this answer
-1

Problem is in this part of INPUT chain:

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

especially in the last line. Everything after this line is unnecesary, because this line accept everythink.

You have to delete this line from the rules by this command:

iptables -D INPUT 1

You have to inspect your firewall rules, where is rule, which adding this line.

Improve this answer
4
  • 7
    "ACCEPT all -- anywhere anywhere" comes from this rule: "-A INPUT -i lo -j ACCEPT" so it's concerns only lo interface, so it's not the issue. Commented Jan 11, 2013 at 10:01
  • I deleted everything, but it still shows up with iptables -L Commented Jan 11, 2013 at 10:07
  • ok, that's what someone else mentioned. thanks. I can safely ignore it. Commented Jan 11, 2013 at 10:08
  • 1
    @chovy: your rules are ok. Issue lies in restoring it after reboot. Try follow this steps: debian-administration.org/articles/445 Commented Jan 11, 2013 at 10:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.