iptables and OUTPUT policy

Jason.nix · 02-17-2024, 05:53 AM

Hello,
Are the following iptables rules wrong?

Code:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s "IP" -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j DROP
-A INPUT -p tcp -m tcp --dport 30 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -d "IP" -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 40 -j DROP

Thank you.

jayjwa · 02-17-2024, 12:36 PM

Wrong for what? With a default accept output, you only are blocking tcp/40 outbound which I can't see a practical application for.

Jason.nix · 02-18-2024, 12:05 AM

Quote:

Originally Posted by jayjwa

Wrong for what? With a default accept output, you only are blocking tcp/40 outbound which I can't see a practical application for.

Hello,
Thank you so much for your reply.
Not really. I have only allowed exit to port 40 and other ports are blocked.

Jason.nix · 02-19-2024, 12:38 PM

Hello,
No idea?

Thanks.

astrogeek · 02-19-2024, 02:17 PM

Quote:

Originally Posted by Jason.nix

Hello,
Thank you so much for your reply.
Not really. I have only allowed exit to port 40 and other ports are blocked.

No, you are doing just the opposite:

Quote:

Originally Posted by Jason.nix

Hello,
Are the following iptables rules wrong?

Code:

...
-P OUTPUT ACCEPT
...
-A OUTPUT -d "IP" -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 40 -j DROP
...Policy ACCEPT applies to everything else not handled above...

You are blocking tcp/40 except to "IP" (assuming that to be redacted) and accepting everything else.

Jason.nix · 02-20-2024, 12:31 AM

Quote:

Originally Posted by astrogeek

No, you are doing just the opposite:

You are blocking tcp/40 except to "IP" (assuming that to be redacted) and accepting everything else.

Hello,
Thank you so much for your reply.
1- How can I solve it? I want the server to be able to send data only to port number 40.

2- Is the following rule also wrong? I just want a specific IP address to be able to connect to port 20.

Code:

-A INPUT -s "IP" -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j DROP

jayjwa · 02-20-2024, 08:09 AM

If you want to block by default, you should set the default policy to block.

Code:

iptables -P OUTPUT DROP
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -j ACCEPT

You'll have to allow for DNS, if needed, and also mind ipv6 (if in use). Your second example does similar: it takes packets on the INPUT chain and then drops tcp/20 packets. If you want that type of rule, look into negation (! --dport 20). Unfortunately, I can't easily test these rules right now but I think you can see what I'm getting at.

Jason.nix · 02-21-2024, 01:26 AM

Quote:

Originally Posted by jayjwa

If you want to block by default, you should set the default policy to block.

Code:

iptables -P OUTPUT DROP
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -j ACCEPT

You'll have to allow for DNS, if needed, and also mind ipv6 (if in use). Your second example does similar: it takes packets on the INPUT chain and then drops tcp/20 packets. If you want that type of rule, look into negation (! --dport 20). Unfortunately, I can't easily test these rules right now but I think you can see what I'm getting at.

Hello,
Thank you so much for your reply.
Why you changed DROP to ACCEPT in the second rule?

jayjwa · 02-21-2024, 12:16 PM

Because the default policy is already DROP and everything is dropped by default. If you don't make any exception, nothing is allowed and you wanted tcp/40.

Quote:

-P, --policy chain target
Set the policy for the built‐in (non‐user‐defined) chain to the
given target. The policy target must be either ACCEPT or DROP.