You are not logged in.
- Topics: Active | Unanswered
#1 2017-01-25 12:42:59
- Wolfingiun
- Member
- Registered: 2017-01-19
- Posts: 1
Iptables and incoming connections
I tried to build a simple stateful firewall with the arch wiki and it works, but i have troubles understanding incoming connections in this context:
Opening ports to incoming connections
To accept incoming TCP connections on port 80 for a web server:
# iptables -A TCP -p tcp --dport 80 -j ACCEPT
To accept incoming TCP connections on port 443 for a web server (HTTPS):
# iptables -A TCP -p tcp --dport 443 -j ACCEPT
To allow remote SSH connections (on port 22):
# iptables -A TCP -p tcp --dport 22 -j ACCEPT
To accept incoming UDP streams on port 53 for a DNS server:
# iptables -A UDP -p udp --dport 53 -j ACCEPT
So, when i go online and surf with a browser, i send requests, but i dont recieve any, right? If this is right, do i need these rules? (because my pc isnt a server).
Offline
#2 2017-01-25 14:01:55
- Gregosky
- Member
- From: UK
- Registered: 2013-07-26
- Posts: 174
Re: Iptables and incoming connections
Your iptables rules should include entries that allow established connections to go through.
This is what I have at the top of my iptables.rules:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:872]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachableAnd then each rule looks like this:
-A TCP -p tcp -m tcp -d your_interface_ip --dport 80 -j ACCEPT
-A UDP -p udp -m udp -d your_interface_ip --dport 80 -j ACCEPT-d is to limit traffic through one interface (if in example you wanted to use your openvpn tunnel rather than your internet interface)
Last edited by Gregosky (2017-01-25 14:03:16)
Offline
#3 2017-01-27 11:13:46
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: Iptables and incoming connections
Most probably you should read or re-read a couple of wiki pages:
https://wiki.archlinux.org/index.php/Iptables
https://wiki.archlinux.org/index.php/Si … l_firewall
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline