You are not logged in.
Pages: 1
Hello, I am trying to open some ports on my firewall using iptables and I am not sure what I am doing wrong. Here is my iptables conf:
iptables -F
echo "----------flush-----------"
iptables -L
#Set default policies to drop all communication unless specifically allowed
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
#Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow all local traffic.
iptables -A INPUT -i enp8s0 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o enp8s0 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i enp5f0 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o enp5f0 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i enp5f1 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o enp5f1 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i enp5f2 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o enp5f2 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i enp5f3 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o enp5f3 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i wls4 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o wls4 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i wls3 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o wls3 -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i br0 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o br0 -d 192.168.0.0/24 -j ACCEPT
#Allow VPN establishment
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#iptables -A OUTPUT -o nordtun -j ACCEPT
#iptables -A INPUT -i nordtun -j ACCEPT
iptables -I INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#allow ports for synapse server
iptables -A INPUT -i ppp0 -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p tcp --dport 8448 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --sport 8448 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p tcp --dport 8448 -j ACCEPT
echo "---------test table----------"
iptables -L
iptables-save -f /etc/iptables/iptables.rules
ip6tables -F
echo "----------flush-----------"
ip6tables -L
##Set default policies to drop all communication unless specifically allowed
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i br0 -o tun0 -j ACCEPT
#Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "---------test table----------"
iptables -L
ip6tables-save -f /etc/iptables/ip6tables.rules
sleep 5
systemctl restart iptables
systemctl restart ip6tables
The idea is to stop anything using the internet raw through ppp0 and instead use tun0 for internet. Allow all local traffic and block all connections through ppp0 unless otherwise specified(in my case ports 443 and 8448). I have checked with my isp that they are not filtering anything.
Nmap on the url assigned to my isp address state ports 443 and 8448 are filtered.
The server is connect direct to the modem.
Update
This appears to still be blocked even if I set OUTPUT FORWARD and INPUT to ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Offline
Moving to Networking, Server, and Protection
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
The original iptables rules did not work as intended because they used the --sport option, which specifies the source port of the packets. This means that the rules were set to accept packets originating from port 443 and port 1194, rather than packets being sent to those ports.
To modify your iptables rules for accepting incoming packets on port 443 and port 1194, you need to change the source port option (--sport) to the destination port option (--dport). Here’s the fixed version of your iptables commands:
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
Offline
It is also essential to add rules to allow established connections. The following commands should be executed:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED -p icmp -j ACCEPT
By incorporating these rules, any accepted connection will be processed under the established packets rule, thereby facilitating the connection's continuity.
Last edited by macromal (2025-07-31 15:00:32)
Offline
Pages: 1