1

I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.

> iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http DROP all -- anywhere anywhere

it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?

I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.

> iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http
Improve this question
6
  • You are using Kali Linux? Commented Feb 9, 2018 at 1:54
  • yes. @NasirRiley i know there's no need to mention it Commented Feb 9, 2018 at 2:12
  • Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux. Commented Feb 9, 2018 at 2:27
  • Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites. Commented Feb 9, 2018 at 2:28
  • In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status Commented Feb 9, 2018 at 2:28

3 Answers 3

Reset to default
1

The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:

-P INPUT DROP -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m udp -p udp --sport 53 -j ACCEPT -A OUTPUT -i lo -j ACCEPT -A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT

I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.

Improve this answer
2
  • it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more? Commented Feb 9, 2018 at 8:45
  • Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped. Commented Feb 9, 2018 at 20:05
1

As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.

Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:

iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Improve this answer
0

Try update-alternatives --config iptables and select the legacy version. Worked for me for the time being.

Improve this answer
2
  • 1
    I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer. Commented Jan 30, 2019 at 20:09
  • I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall. Commented Jan 30, 2019 at 23:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.