Iptables - facing problems to allow specific ports and block others
I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.
> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere
it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?
I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.
> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
iptables kali-linux firewall
|
show 1 more comment
I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.
> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere
it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?
I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.
> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
iptables kali-linux firewall
You are using Kali Linux?
– Nasir Riley
Feb 9 '18 at 1:54
yes. @NasirRiley i know there's no need to mention it
– Rabin
Feb 9 '18 at 2:12
Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.
– Nasir Riley
Feb 9 '18 at 2:27
Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.
– Nasir Riley
Feb 9 '18 at 2:28
In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands:ifconfigcat /etc/network/interfacescat /etc/resolv.confservice network-manager status
– Nasir Riley
Feb 9 '18 at 2:28
|
show 1 more comment
I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.
> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere
it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?
I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.
> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
iptables kali-linux firewall
I tried to block all ports except 22(ssh), 80(http), 443(https). My current INPUT rules are these.
> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere
it should accept http and https port and then block everything else. but It's blocking everything. for example when I try to visit facebook which uses port 80 & 443, it doesn't work. I can't visit facebook. what should I do now?
I also tried like this. Allowed mentioned ports and made the policy DROP, though I'm not sure. the same happens.
> iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
iptables kali-linux firewall
iptables kali-linux firewall
edited Aug 21 '18 at 1:01
Rui F Ribeiro
40.1k1479135
40.1k1479135
asked Feb 9 '18 at 0:44
RabinRabin
83
83
You are using Kali Linux?
– Nasir Riley
Feb 9 '18 at 1:54
yes. @NasirRiley i know there's no need to mention it
– Rabin
Feb 9 '18 at 2:12
Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.
– Nasir Riley
Feb 9 '18 at 2:27
Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.
– Nasir Riley
Feb 9 '18 at 2:28
In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands:ifconfigcat /etc/network/interfacescat /etc/resolv.confservice network-manager status
– Nasir Riley
Feb 9 '18 at 2:28
|
show 1 more comment
You are using Kali Linux?
– Nasir Riley
Feb 9 '18 at 1:54
yes. @NasirRiley i know there's no need to mention it
– Rabin
Feb 9 '18 at 2:12
Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.
– Nasir Riley
Feb 9 '18 at 2:27
Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.
– Nasir Riley
Feb 9 '18 at 2:28
In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands:ifconfigcat /etc/network/interfacescat /etc/resolv.confservice network-manager status
– Nasir Riley
Feb 9 '18 at 2:28
You are using Kali Linux?
– Nasir Riley
Feb 9 '18 at 1:54
You are using Kali Linux?
– Nasir Riley
Feb 9 '18 at 1:54
yes. @NasirRiley i know there's no need to mention it
– Rabin
Feb 9 '18 at 2:12
yes. @NasirRiley i know there's no need to mention it
– Rabin
Feb 9 '18 at 2:12
Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.
– Nasir Riley
Feb 9 '18 at 2:27
Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.
– Nasir Riley
Feb 9 '18 at 2:27
Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.
– Nasir Riley
Feb 9 '18 at 2:28
Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.
– Nasir Riley
Feb 9 '18 at 2:28
In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands:
ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status– Nasir Riley
Feb 9 '18 at 2:28
In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands:
ifconfig cat /etc/network/interfaces cat /etc/resolv.conf service network-manager status– Nasir Riley
Feb 9 '18 at 2:28
|
show 1 more comment
3 Answers
3
active
oldest
votes
The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:
-P INPUT DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m udp -p udp --sport 53 -j ACCEPT
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT
I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in theOUTPUTsection; everything else will be dropped.
– ErikF
Feb 9 '18 at 20:05
add a comment |
As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.
Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
add a comment |
Try update-alternatives --config iptables and select the legacy version.
Worked for me for the time being.
1
I've edited your answer to add code formatting, remove signature and replace dash character with--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.
– Anthony Geoghegan
Jan 30 at 20:09
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f422942%2fiptables-facing-problems-to-allow-specific-ports-and-block-others%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:
-P INPUT DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m udp -p udp --sport 53 -j ACCEPT
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT
I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in theOUTPUTsection; everything else will be dropped.
– ErikF
Feb 9 '18 at 20:05
add a comment |
The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:
-P INPUT DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m udp -p udp --sport 53 -j ACCEPT
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT
I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in theOUTPUTsection; everything else will be dropped.
– ErikF
Feb 9 '18 at 20:05
add a comment |
The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:
-P INPUT DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m udp -p udp --sport 53 -j ACCEPT
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT
I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.
The policy rules that you've created will allow outside hosts to connect to your TCP ports 22, 80 and 443, but not allow any other traffic, including your own! If you really want to prevent this host from accessing anything other than these three ports, and don't want outside hosts to access yours at all, you can put the rules on your OUTPUT rule chain instead of your INPUT one and then have a CONNTRACK rule on your input chain to prevent connections that you didn't initiate:
-P INPUT DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m udp -p udp --sport 53 -j ACCEPT
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT
I usually allow the loopback adapter to work normally as some internal programs may need it; as well, I would allow DNS traffic, or else you won't be able to resolve domain names.
answered Feb 9 '18 at 6:41
ErikFErikF
2,9111513
2,9111513
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in theOUTPUTsection; everything else will be dropped.
– ErikF
Feb 9 '18 at 20:05
add a comment |
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in theOUTPUTsection; everything else will be dropped.
– ErikF
Feb 9 '18 at 20:05
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
it resolved just by adding related and established. but I didn't got the point why I should add these output rules. could you please explain a little more?
– Rabin
Feb 9 '18 at 8:45
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the
OUTPUT section; everything else will be dropped.– ErikF
Feb 9 '18 at 20:05
Well-known port numbers apply to the server, not the client, so if you want to allow access to only certain ports on other hosts, you need to check on data being sent, not received. In this case, you indicated that you only wanted programs to be able to access HTTP(S) and SSH ports (and DNS), so those are what I put in the
OUTPUT section; everything else will be dropped.– ErikF
Feb 9 '18 at 20:05
add a comment |
As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.
Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
add a comment |
As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.
Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
add a comment |
As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.
Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
As others pointed out in the comments, you do not need INPUT rules like those to access websites. You would only need these rules if you were running services on these ports locally. If you did want to restrict outbound traffic instead, these rules would need to go in the OUTPUT chain.
Additionally, you are losing all connectivity because you are DROPping all inbound traffic. When you make a connection to a webserver, the returning data (specifically, the TCP 3 way handshake) will be DROPPed in the INPUT chain because of your catch-all drop. To fix this, you need to add a rule to allow these return connections:
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
answered Feb 9 '18 at 15:15
multithr3at3dmultithr3at3d
43428
43428
add a comment |
add a comment |
Try update-alternatives --config iptables and select the legacy version.
Worked for me for the time being.
1
I've edited your answer to add code formatting, remove signature and replace dash character with--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.
– Anthony Geoghegan
Jan 30 at 20:09
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
add a comment |
Try update-alternatives --config iptables and select the legacy version.
Worked for me for the time being.
1
I've edited your answer to add code formatting, remove signature and replace dash character with--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.
– Anthony Geoghegan
Jan 30 at 20:09
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
add a comment |
Try update-alternatives --config iptables and select the legacy version.
Worked for me for the time being.
Try update-alternatives --config iptables and select the legacy version.
Worked for me for the time being.
edited Jan 30 at 20:07
Anthony Geoghegan
7,74243954
7,74243954
answered Jan 30 at 19:59
pape fall bncpape fall bnc
1
1
1
I've edited your answer to add code formatting, remove signature and replace dash character with--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.
– Anthony Geoghegan
Jan 30 at 20:09
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
add a comment |
1
I've edited your answer to add code formatting, remove signature and replace dash character with--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.
– Anthony Geoghegan
Jan 30 at 20:09
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
1
1
I've edited your answer to add code formatting, remove signature and replace dash character with
--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.– Anthony Geoghegan
Jan 30 at 20:09
I've edited your answer to add code formatting, remove signature and replace dash character with
--. However, to be a good answer, it could do with more detail, explaining what this command does. See How to Answer.– Anthony Geoghegan
Jan 30 at 20:09
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
I just needed to allow established connections. I noticed, like others said, your web server uses multiple random ports other than http or ssh after the connection is established. So I just needed that. It's a little more complicated while setting up a firewall.
– Rabin
Jan 30 at 23:10
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f422942%2fiptables-facing-problems-to-allow-specific-ports-and-block-others%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You are using Kali Linux?
– Nasir Riley
Feb 9 '18 at 1:54
yes. @NasirRiley i know there's no need to mention it
– Rabin
Feb 9 '18 at 2:12
Kali Linux is not for beginners. It is meant for penetration testing and it's designed with the idea that the user will have a good base knowledge of Linux at the very least. Even if you are using it for that, I would recommend that you use a distro such as Ubuntu first to get more familiar with it before using Kali Linux.
– Nasir Riley
Feb 9 '18 at 2:27
Secondly, you don't need ports 80 and 443 open to access other websites. The iptables rules that you have are for allowing access to your machine if you are running a webserver and hosting websites.
– Nasir Riley
Feb 9 '18 at 2:28
In your case, you want to test your network connectivity. Try pinging other addresses in your local network. Also, can you post the output of the following commands:
ifconfigcat /etc/network/interfacescat /etc/resolv.confservice network-manager status– Nasir Riley
Feb 9 '18 at 2:28