You are not logged in.
- Topics: Active | Unanswered
#1 2015-10-07 07:17:43
- broken pipe
- Member
- Registered: 2010-12-10
- Posts: 243
[SOLVED] No route to host after starting iptables
Hi all,
i wrote a little iptables firewall which blocks everything and only allows https and ssh (on port 5522).
Https works, but ssh won't connect ("No route to host").
I am happy for any ideas, best regards!
# Flush
iptables -F
# Tables
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# SSH, HTTPS
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 5522,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 5522,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 5522,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sports 5522,443 -m state --state ESTABLISHED -j ACCEPT
# DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# LO
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROPLast edited by broken pipe (2015-10-07 18:55:42)
Offline
#2 2015-10-07 07:54:40
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] No route to host after starting iptables
"No route to host" is a routing issue, not a firewall issue. See your routes:
ip routeOffline
#3 2015-10-07 08:54:17
- broken pipe
- Member
- Registered: 2010-12-10
- Posts: 243
Re: [SOLVED] No route to host after starting iptables
"No route to host" is a routing issue, not a firewall issue. See your routes:
ip route
Thanks for your reply. Ip route seems to be ok and i can ping everything. All standard ports (22, 80, 443 etc.) are working but i can't connect to 5522. Studpid question, but is the port too high for a normal iptables port range and is blocked by default?
Offline
#4 2015-10-07 09:42:08
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] No route to host after starting iptables
2 common iptables rules to put first are:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPTYou are missing *RELATED*.
You could totally debug this yourself, by using tcpdump and iptables logging.
Offline
#5 2015-10-07 19:15:26
- broken pipe
- Member
- Registered: 2010-12-10
- Posts: 243
Re: [SOLVED] No route to host after starting iptables
2 common iptables rules to put first are:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPTYou are missing *RELATED*.
You could totally debug this yourself, by using tcpdump and iptables logging.
Thank you!! It's working now and blocks everything else!
For anyone else, here is the complete firewall script:
# Cleanup
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Tables
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# LO
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# SSH, HTTPS
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 5522,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 5522,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 5522,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sports 5522,443 -m state --state ESTABLISHED -j ACCEPT
# NTP
iptables -A OUTPUT -o eth0 -p udp --dport 123 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 123 -m state --state NEW -j ACCEPT
# DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Explicitly drop invalid incoming traffic
iptables -A INPUT -m state --state INVALID -j DROP
# Drop invalid outgoing traffic
iptables -A OUTPUT -m state --state INVALID -j DROP
# SYN Flood
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
iptables -A SYN_FLOOD -j DROP
# XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROPOffline
#6 2015-10-07 19:28:58
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] No route to host after starting iptables
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 5522,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sports 5522,443 -m state --state ESTABLISHED -j ACCEPT
Is this for a client or a server? Your rules are still a bit of a mess 
Hint: Many ports may be used, which is why "RELATED,ESTABLISHED" is such a convenient specification - it doesn't require us to specify a port number/range.
Offline
#7 2015-10-08 07:37:12
- broken pipe
- Member
- Registered: 2010-12-10
- Posts: 243
Re: [SOLVED] No route to host after starting iptables
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 5522,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sports 5522,443 -m state --state ESTABLISHED -j ACCEPTIs this for a client or a server? Your rules are still a bit of a mess
Hint: Many ports may be used, which is why "RELATED,ESTABLISHED" is such a convenient specification - it doesn't require us to specify a port number/range.
Improvements are welcome . It's a server which basically serves content over https
Offline