IPTables Config, What Is The Dirrence Between These Statments For Port 80?

Hello! I hope this post get's in the right place, cause I'm a newbie @ Linux

I'm trying to set up a Webserver, apache. And I'm confused which chain to set in IPTables. I hope'd someone could answer me a little more in detail, I've tryed googeling, but the answers were quite confusing for me, anyway here are the statement;

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

and

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

A know that that -A INPUT is for incoming packaes, -p specifies protocol TCP. But I'm unsure what -m does? Cause in the first line it is just "-m tcp" and in the second it is "-m state --state". So if someone could explant the diffrence and which one to use, I would be grateful.

And another question while I'm at it; In the start of IPTables I have;
-A INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

What happens if I get a packet destined for some service, that isn't a chain in IPTables? Take port 80 for example, will IPTables accept the packet, but drop it at the end because there isn't any hit? If you understand what I mean. If -A INPUT would be DENY istead of ACCEPT, would the packet never ever get examined further then the first line?

Almost and the bottom of IPTables ther is a line;
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Is it the chain that will be matched if there is not hit prior to it? What would happen if this line wasn't there?

Thank you very much for your help, I'm just wanna be sure little how IPTables work.

Best Regards; Stefan


Similar Content



Iptables Not Active/firewalld Is - My Web Server Is Working But I Have No Idea Why.

This is a copy of my /etc/sysconfig/iptables.conf (w/o comments):
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

- Added the port 80/21 entries.
vsftpd does work.

"iptables-save | grep 80" returns nothing.

My web server works (internal and external).

"systemctl is-active iptables" shows "inactive"
I have "just" gotten firewalld up and running thanks to questions answered here.

iptables is truly a mystery to me.

Can someone explain why my web server/vsftpd are up and working w/o iptables being active? How can I get my network and security both up and working safely together?

If I enable/activate iptables, is this going to break my web server?

Is this the appropriate forum for this question?

As always, thank you for your time and patience,

Skip

Linux Proxy Server Configuration

I am trying to set up a "Proxy Server" in Linux, without using Squid (Part of my project). However I have beginner's knowledge of iptables. I am using the following script from "http://www.aboutdebian.com/proxy.

#!/bin/sh
INTIF="eth1"
EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Question is there is no packet forwarding from eth1 to eth0 (verified from wireshark, a windows is using eth1's ip address as its default gateway)

Any help would be highly appreciated!

SSH And Opening Ports

Hello,

I am trying to set up SSH on my linux machine. I have all the ssh packages downloaded and have added rules to my iptables i.e.

-A INPUT -p tcp -m tcp --dport 62222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

I also saved all the rules in a file so I could restore the iptables when I reboot the machine.

I also checked to make sure that the ports were open on the network firewall.

So I'm not sure what to do now because everywhere I look it says that once I've added those rules it should work.

Please Help!

Systemd And Loading Init File

I recently changed from Debian 7 to 8 which now uses systemd as the default init.
I had a init file that worked fine (see below) and works fine when directly invoked
Code:
$ sudo /etc/init.d/iptables start

however fails when indirectly invoked
Code:
$ sudo service iptables start
Job for iptables.service failed. See 'systemctl status iptables.service' and 'journalctl -xn' for details.

Code:
$ systemctl status iptables.service
 iptables.service - LSB: Iptable setup
   Loaded: loaded (/etc/init.d/iptables)
   Active: failed (Result: exit-code) since Mon 2015-05-25 17:18:37 PDT; 5s ago
  Process: 4825 ExecStart=/etc/init.d/iptables start (code=exited, status=203/EXEC)

Code:
$ journalctl -xn
No journal files were found.

I don't understand the error except that it "failed" and is loaded.
I have disabled and re-enabled the service with these commands:

Code:
sudo systemctl disable iptables
sudo systemctl enable iptables

which completes successfully but did not fix the problem.


INIT file
Code:
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Should-Start:      $portmap
# Should-Stop:       $portmap
# X-Start-Befo     nis
# X-Stop-After:      nis
# Default-Start:     2 
# Default-Stop:      1
# X-Interactive:     false
# Short-Description: Iptable setup
# Description:       Sets iptable rules
#                    
### END INIT INFO

ipt=/sbin/iptables

loadrules() {

if [ -e /etc/iptables_ruleset ]; then iptables-restore < /etc/iptables_ruleset && exit 0; fi

$ipt -F
$ipt -X

# Policies and Chains
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -N SSH
$ipt -N WEBSERVER

$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Allow loopback

# Services
$ipt -A INPUT -p tcp -m multiport --dport 443,80 -j WEBSERVER # WEBSERVER chain 
$ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j SSH # Jump to SSH chain
$ipt -A INPUT -p tcp -s 192.168.1.1/24 --dport 445 -j ACCEPT # samba

# Reject message for LAN
$ipt -A INPUT -s 192.168.1.1/24 -j REJECT

# WEBSERVER chain
$ipt -A WEBSERVER -p tcp -m multiport --dport 443,80 -m conntrack --ctstate NEW -j LOG
$ipt -A WEBSERVER -p tcp -m multiport --dport 443,80 -j ACCEPT

# SSH chain
$ipt -A SSH -p tcp --dport 22 -m recent --set --name SSH # Set SSH recent
$ipt -A SSH -p tcp --dport 22 -m recent --name SSH --update --seconds 10 --hitcount 2 --rttl -j LOG # Log if over counter
$ipt -A SSH -p tcp --dport 22 -s 192.168.1.1/24 -m recent --name SSH --update --seconds 10 --hitcount 10 --rttl -j REJECT # Reject from lan if over counter
$ipt -A SSH -p tcp --dport 22 ! -s 192.168.1.1/24 -m recent --name SSH --update --seconds 10 --hitcount 2 --rttl -j DROP # Drop if over counter
$ipt -A SSH -p tcp --dport 22 -j ACCEPT

iptables-save > /etc/iptables_ruleset
}

removerules() {
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
}

restartrules() {
rm /etc/iptables_ruleset
loadrules
}

case "$1" in
	start)
		loadrules
		;;
	stop)
		removerules
		;;
        restart)
                restartrules
                ;;
    	*)
        	echo "Usage: $0 start|stop|restart" >&2
        	exit 3
        	;;
esac

Edit:
Checking /var/log/daemon.log gives me this info:
Code:
May 25 19:13:29 hostname systemd[6004]: Failed at step EXEC spawning /etc/init.d/iptables: Exec format error
May 25 19:13:29 hostname systemd[1]: iptables.service: control process exited, code=exited status=203
May 25 19:13:29 hostname systemd[1]: Failed to start LSB: Iptable setup.
May 25 19:13:29 hostname systemd[1]: Unit iptables.service entered failed state.

Questions About Iptables

Hi everyone
I have a question about iptables

This line
Code:
iptables -A INPUT -p tcp  -m tcp --dport 80 -j ACCEPT

why there is a "-m tcp"? what does this mean? I checked some book and man, I did not find what does this mean.

Thank you very much for your help.

Iptables --policy (login Slow)

Dear all,

This is my current iptables (with default policy = Accept) and no rules.
Code:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 77072 packets, 7890K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 70306 packets, 129M bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@racnode1 ~]#

I have decided to allow only incoming network connection from my own subnet and hence

Code:
[root@racnode1 ~]# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  178  9055 ACCEPT     all  --  any    any     192.168.0.0/24       anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 186 packets, 316K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@racnode1 ~]#

Noted that my default policy is still ACCEPT, hence I

Code:
[root@racnode1 ~]# iptables --policy INPUT DROP

===============================================================

Upon this, I have 2 issues

a) my iptables -L -v command can't display fully, i am stuck at below

Quote:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
b) my ssh login is very slow

Quote:
login as: root
-- waited quite sometime before prompting me for password
===============================================================

If i removed revert the INPUT policy to ACCEPT, then everything will be fine as normal.

Why ?

Thanks and look forward to your advises.

Regards,
Noob ;(

Restrictive Iptables Rule For DHCP

I was reading the frozentux appendix for dhcp (https://www.frozentux.net/iptables-t...tml/x6316.html) and I was wondering how could this Code:
$IPTABLES  -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

be made to be more restrictive? The author himself says that this ca be done, but doesn't give any details in this respect.

I am interested in both cases - if the computer is a dhcp server or if it is only a dhcp client. Can you help me out with this?

Access A Host From A Different Subnet In Linux

Hi all,

I have a host#1 with ip=192.168.3.100 and a host#2 with ip=192.168.2.100. Both hosts are connected to some linux device with 2 interfaces : eth0 with ip=192.168.2.1 and eth1 with ip=192.168.3.1.

So host#1 is connected to eth1 and host#2 to eth0. I would like to ping host#2 from host#1 and vice versa. How can I do that ?

I tried :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

but it didn't work

PS
This is my first post here, so please don't be very strict to me
Looking forward to hearing from anybody as I'm out of ideas...

BR,
Dmitry

Iptables Command With ! Syn

I enter this command:
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp ! --syn -j DROP

And in sysconfig/iptables I get this:

-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

I don't understand exactly how to interpret this line. It seems, at a first glance, absurd to me, because it says to drop all packets that start a tcp connection which do NOT have flags FIN,SYN,RST,ACK SYN. It's quite the reverse of what am writing.

How come all these show up?

Iptables Tcp Flags Scripts

I was checking out this link:
http://www.k-state.edu/its/security/...pt_Handout.pdf


There's a line that says:
Code:
iptables -A Log-N-Drop -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOG --log-prefix "Denied FIN SCAN: "

This is part of the Log-N-Drop chain that is made up of several similar statements.

First of all, I'd like to know what's the difference between --tcp-flags FIN FIN and --tcp-flags FIN,ACK FIN?

Then, there's this:
Code:
iptables -A Log-N-Drop -p tcp -m tcp --tcp-flags ALL NONE -j DROP

Which says that all tcp packets form the Log-N-Drop chain that have NO tcp flags set should be dropped.

Of course, there's a bigger context there in the link, but I'd like to take it step by step. How should I interpret this last iptables line? Why should it be necessary? I guess, in this case, it should make sense to drop all packets that have no flags set, right, 'cause they would be invalid? Any valid tcp flag should have at least one flag set, or am I wrong?

The fuller the feedback, the better