Iptables - facing problems to allow specific ports and block others












1















I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.



> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere


it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?



I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.



> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http









share|improve this question

























  • You are using Kali Linux?

    – Nasir Riley
    Feb 9 '18 at 1:54











  • yes. @NasirRiley i know there's no need to mention it

    – Rabin
    Feb 9 '18 at 2:12













  • Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.

    – Nasir Riley
    Feb 9 '18 at 2:27











  • Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.

    – Nasir Riley
    Feb 9 '18 at 2:28











  • In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status

    – Nasir Riley
    Feb 9 '18 at 2:28
















1















I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.



> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere


it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?



I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.



> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http









share|improve this question

























  • You are using Kali Linux?

    – Nasir Riley
    Feb 9 '18 at 1:54











  • yes. @NasirRiley i know there's no need to mention it

    – Rabin
    Feb 9 '18 at 2:12













  • Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.

    – Nasir Riley
    Feb 9 '18 at 2:27











  • Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.

    – Nasir Riley
    Feb 9 '18 at 2:28











  • In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status

    – Nasir Riley
    Feb 9 '18 at 2:28














1












1








1








I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.



> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere


it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?



I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.



> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http









share|improve this question
















I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.



> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere


it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?



I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.



> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http






iptables kali-linux firewall






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 21 '18 at 1:01









Rui F Ribeiro

40.1k1479135




40.1k1479135










asked Feb 9 '18 at 0:44









RabinRabin

83




83













  • You are using Kali Linux?

    – Nasir Riley
    Feb 9 '18 at 1:54











  • yes. @NasirRiley i know there's no need to mention it

    – Rabin
    Feb 9 '18 at 2:12













  • Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.

    – Nasir Riley
    Feb 9 '18 at 2:27











  • Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.

    – Nasir Riley
    Feb 9 '18 at 2:28











  • In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status

    – Nasir Riley
    Feb 9 '18 at 2:28



















  • You are using Kali Linux?

    – Nasir Riley
    Feb 9 '18 at 1:54











  • yes. @NasirRiley i know there's no need to mention it

    – Rabin
    Feb 9 '18 at 2:12













  • Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.

    – Nasir Riley
    Feb 9 '18 at 2:27











  • Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.

    – Nasir Riley
    Feb 9 '18 at 2:28











  • In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status

    – Nasir Riley
    Feb 9 '18 at 2:28

















You are using Kali Linux?

– Nasir Riley
Feb 9 '18 at 1:54





You are using Kali Linux?

– Nasir Riley
Feb 9 '18 at 1:54













yes. @NasirRiley i know there's no need to mention it

– Rabin
Feb 9 '18 at 2:12







yes. @NasirRiley i know there's no need to mention it

– Rabin
Feb 9 '18 at 2:12















Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.

– Nasir Riley
Feb 9 '18 at 2:27





Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.

– Nasir Riley
Feb 9 '18 at 2:27













Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.

– Nasir Riley
Feb 9 '18 at 2:28





Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.

– Nasir Riley
Feb 9 '18 at 2:28













In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status

– Nasir Riley
Feb 9 '18 at 2:28





In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands: ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status

– Nasir Riley
Feb 9 '18 at 2:28










3 Answers
3






active

oldest

votes


















1














The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:



-P INPUT DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m udp -p udp --sport 53 -j ACCEPT
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT


I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.






share|improve this answer
























  • it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

    – Rabin
    Feb 9 '18 at 8:45











  • Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

    – ErikF
    Feb 9 '18 at 20:05



















1














As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.



Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:



iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT





share|improve this answer































    0














    Try update-alternatives --config iptables and select the legacy version.
    Worked for me for the time being.






    share|improve this answer





















    • 1





      I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

      – Anthony Geoghegan
      Jan 30 at 20:09











    • I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

      – Rabin
      Jan 30 at 23:10











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f422942%2fiptables-facing-problems-to-allow-specific-ports-and-block-others%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:



    -P INPUT DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m udp -p udp --sport 53 -j ACCEPT
    -A OUTPUT -i lo -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
    -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT


    I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.






    share|improve this answer
























    • it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

      – Rabin
      Feb 9 '18 at 8:45











    • Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

      – ErikF
      Feb 9 '18 at 20:05
















    1














    The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:



    -P INPUT DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m udp -p udp --sport 53 -j ACCEPT
    -A OUTPUT -i lo -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
    -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT


    I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.






    share|improve this answer
























    • it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

      – Rabin
      Feb 9 '18 at 8:45











    • Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

      – ErikF
      Feb 9 '18 at 20:05














    1












    1








    1







    The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:



    -P INPUT DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m udp -p udp --sport 53 -j ACCEPT
    -A OUTPUT -i lo -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
    -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT


    I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.






    share|improve this answer













    The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:



    -P INPUT DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m udp -p udp --sport 53 -j ACCEPT
    -A OUTPUT -i lo -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
    -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
    -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT


    I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Feb 9 '18 at 6:41









    ErikFErikF

    2,9111513




    2,9111513













    • it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

      – Rabin
      Feb 9 '18 at 8:45











    • Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

      – ErikF
      Feb 9 '18 at 20:05



















    • it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

      – Rabin
      Feb 9 '18 at 8:45











    • Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

      – ErikF
      Feb 9 '18 at 20:05

















    it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

    – Rabin
    Feb 9 '18 at 8:45





    it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?

    – Rabin
    Feb 9 '18 at 8:45













    Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

    – ErikF
    Feb 9 '18 at 20:05





    Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the OUTPUT section; everything else will be dropped.

    – ErikF
    Feb 9 '18 at 20:05













    1














    As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.



    Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:



    iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT





    share|improve this answer




























      1














      As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.



      Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:



      iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT





      share|improve this answer


























        1












        1








        1







        As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.



        Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:



        iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT





        share|improve this answer













        As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.



        Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:



        iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 9 '18 at 15:15









        multithr3at3dmultithr3at3d

        43428




        43428























            0














            Try update-alternatives --config iptables and select the legacy version.
            Worked for me for the time being.






            share|improve this answer





















            • 1





              I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

              – Anthony Geoghegan
              Jan 30 at 20:09











            • I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

              – Rabin
              Jan 30 at 23:10
















            0














            Try update-alternatives --config iptables and select the legacy version.
            Worked for me for the time being.






            share|improve this answer





















            • 1





              I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

              – Anthony Geoghegan
              Jan 30 at 20:09











            • I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

              – Rabin
              Jan 30 at 23:10














            0












            0








            0







            Try update-alternatives --config iptables and select the legacy version.
            Worked for me for the time being.






            share|improve this answer















            Try update-alternatives --config iptables and select the legacy version.
            Worked for me for the time being.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jan 30 at 20:07









            Anthony Geoghegan

            7,74243954




            7,74243954










            answered Jan 30 at 19:59









            pape fall bncpape fall bnc

            1




            1








            • 1





              I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

              – Anthony Geoghegan
              Jan 30 at 20:09











            • I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

              – Rabin
              Jan 30 at 23:10














            • 1





              I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

              – Anthony Geoghegan
              Jan 30 at 20:09











            • I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

              – Rabin
              Jan 30 at 23:10








            1




            1





            I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

            – Anthony Geoghegan
            Jan 30 at 20:09





            I've edited your answer to add code formatting, remove signature and replace dash character with --. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.

            – Anthony Geoghegan
            Jan 30 at 20:09













            I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

            – Rabin
            Jan 30 at 23:10





            I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.

            – Rabin
            Jan 30 at 23:10


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f422942%2fiptables-facing-problems-to-allow-specific-ports-and-block-others%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            第一次世界大戦

            Touch on Surface Book