4

I'm trying to configure the iptables on my device in order to allow only SSH and HTTPS traffic. In particular, the HTTPS protocol is used to call some REST API toward a remote server from a java client.

This is my iptables:

iptables -F

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#SSH
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

#HTTPS
iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Everything works as expected, except for HTTPS traffic, which is blocked by iptables.

What i made wrong?

wyr0
  • 149
  • 1
  • 1
  • 2
  • Blocked in or blocked out? The sport of an outbound connection will almost certainly not be 443. – user9517 Feb 19 '16 at 18:05
  • 2
    Do yourself a favor: 1. Don't write stateless firewalls. 2. If you don't know how to write a firewall from scratch, get a tool to generate it for you. – Michael Hampton Feb 19 '16 at 18:13
  • Should be OUTPUT -p tcp --dport 443 and INPUT -p tcp --sport 443 if you trigger some remote API from that machine. – ALex_hha Feb 19 '16 at 22:18

1 Answers1

7

Do not block all the outbound rule, it will not choose port 443 as a source to get data from other server. And I think blocking inbound rules are pretty enough to ensure your server security. Rest is all Good. You can use below rules if you want.

iptables -F
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -j DROP
Gaurav Pundir
  • 1,496
  • 12
  • 14