0

it´ been an long time i configured my firewall and now i see there might be an error, heres the INPUT part of iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

do you see the line,

ACCEPT all -- anywhere anywhere

without any parameters, does this mean all Ports are open? how do i change this line ?

john Smith
  • 97
  • 3

2 Answers2

1

If you are manually managing iptables, you need to write the rules to a file using iptables-save(8):

# iptables-save > /tmp/iptables.txt

Edit the rules as you please, then restore the set with iptables-restore(8):

# iptables-restore /tmp/iptables.txt

Check the iptables documentation (apropos iptables) and online blog posts about configuring a stateful firewall with iptables. E.g. 'Towards the perfect ruleset', by Jan Engelhardt.

dawud
  • 15,096
  • 3
  • 42
  • 61
1

if you run :

iptables -L --line-numbers

you will have a line number reference:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
2    fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
3    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
4    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
5    DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
6    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
7    ACCEPT     all  --  anywhere             anywhere
8    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
9    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
[...]

and then you can run

iptables -D INPUT 7
Diego Roccia
  • 348
  • 1
  • 6
  • made it like that, nevertheless the rule seemed to be necessary so i needed to add it afterwards, so maybe you can explan why this does this not open all ports and seems to be required for port 80 to work? – john Smith Nov 25 '16 at 13:57
  • The iptables -L output does not give enough informations to understand. – Diego Roccia Nov 25 '16 at 15:33
  • Sorry, I wrongly pressed enter. you should paste the output of iptables -L -v or iptables-save but maybe in another question, since the title would become misleading. And please accept my answer if it helped you :) – Diego Roccia Nov 25 '16 at 15:36