Search This Blog

Wednesday, February 15, 2012

Re: Iptables example for mail/web/opevpn server

> ## flush old rules
> iptables -F
> # rules
> iptables -t filter -A INPUT -i venet0 -d your_public_ip \
> -p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -t filter -A INPUT -i venet0 -d your_ip \
> -p udp --sport 1024: --dport 1194 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> # default policy
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT DROP
> ##

I think your script lacks the rule that accepts return packets.
Something along the lines of

iptables -I INPUT -m state --state ESTABLISHED,RELATED -J ACCEPT

Without this rule, return packets will be dropped and the server will be
unable to establish connections. Also note the RELATED, which will accept
ICMP notifications. You need those.

I also recommend accepting ICMP echo requests:

iptables -A INPUT -p icmp --icmp-type 8 -J ACCEPT


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120215202401.GA16699@lia.ch

No comments: