0

We have a Ubuntu server that host a php server and game server. recently, we get a lot of dos and flood attack. so i find some rule for iptables can protect http and game port from attack.

here is my rules:

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT

but the problem appear when php want to open a request like Soap WebService to another server. and iptables block this connection.

I think that problem is in this line :

iptables -P INPUT DROP

but without this line all request to all other port are allowed.

and this is php Soap error :

object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }

I appreciate all your comment. Thanks.

Amin Mastani
  • 3
  • 1
  • 3
  • This question is probably more successful in the ServerFault sister page, since it is a question about configuration, not about a programming issue. You can see the like to that page in the footer of this one. – arkascha Dec 10 '15 at 09:10
  • Try asking the same question here on [serverfault](http://serverfault.com/) – manishrw Dec 10 '15 at 09:27

1 Answers1

0

The problem is that outgoing connections use a random local port to listen for replies. So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. If the latter port is blocked, as is the case in the above setup, the connection will fail.

This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections.

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Also, change the other rules to use state NEW, as that's most likely what you want to restrict. Otherwise it will just cripple the server's connectivty.

tarleb
  • 19,863
  • 4
  • 51
  • 80