0

I have two questions. First: I want configure iptables on my Ubuntu 16.04 server, like: INPUT policy DROP and after that allow one by one ports. All is ok but when i put: iptables -p INPUT -j ACCEPT, Ubuntu told me: iptables v1.60: -p request chain or policy. I use separator -A, but policy is ACCEPT.

Second: What need allow in iptables to accept "apt-get". I was allowed dport 53 (udp and tcp) and 80 (tcp), but nothing, just write (Connection 0%)

O.

George Udosen
  • 36,677
Ognjen Stanisavljevic
  • 3
  • Have you considered using ufw or firewalld which is much simpler to handle? – George Udosen Aug 15 '17 at 16:34
  • No, iptables is steadily. But thanks for reference. – Ognjen Stanisavljevic Aug 15 '17 at 21:11
  • ufw is handy to have as a safety barrier during development. Also, ufw of has a proven set of default rules which it hides from the user., but which can be seen with "ip[6]tables -S". Just copy those default rules for an excellent first working version of your own iptables. – Craig Hicks Apr 20 '18 at 22:07

2 Answers2

0

It is difficult to impossible to give you advice without you posting your rules. Keep in mind, order of your rules is important.

General advice:

  1. DROP is a poor choice, use REJECT. DROP is no more secure and in no way hides your IP address, the cracking tools are sophisticated enough to determine you are up at your IP address and DROP only then affects legitimate traffic.

Cracking tools are for the most part automated, rude, do not follow nettequate, and do not wait for acknowledgement or for the connection to time out. DROP does not slow them down in any way. crackers will run them in the background or overnight and review the output later, they usually play games while the tools are running.

See - http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

  1. Never set your default policy to DROP or REJECT. If you flush your rules you will lock yourself out.

Instead, keep your default policy as ACCEPT and add REJECT as the last rule in the chain.

  1. If you have a problem with a command, post the command you ran and output. either copy paste or use pastebinit

https://help.ubuntu.com/community/Pastebinit

See also http://bodhizazen.com/Tutorials/iptables

  1. Use iptables persistent to save your rules

iptables resets when server reboots

Panther
  • 102,067
  • Here is my iptables: https://pastebin.com/zEJnhBHq . I use this script for start && restart and put in rc.local. btw, this si for my mail server (zimbra) – Ognjen Stanisavljevic Aug 16 '17 at 07:34
  • Scripts for iptables are more complicated and unecessary. Why do you want to obscure your rules ? Use iptables-save and iptables-restore and better iptables persistent - https://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables . – Panther Aug 16 '17 at 16:03
0

You need to accept incoming traffic

iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

Put that as your first rule in your INPUT chain.

Panther
  • 102,067