iptables deny taking precedence over accept

IRJ

I am trying to set rules in iptables . I script the rules all set to accept, however when I apply a rule to deny as default. The accept rules no longer work.

How can I set priority to make sure accept rules are processed before deny?

scottalanmiller

They should execute in order, make sure the deny is below the accept rule.

IRJ

IPT="/sbin/iptables"

# IP Ranges
somenetwork_1="172.34.344.0/24"
somenetwork_2="172.11.44.0/24"
anothernetwork_1="172.189.33.0/24"
anothernetwork_2="172.189.133.0/24"
yetanothernetwork_1="172.51.222.0/24"
yetanothernetwork_2="172.11.222.0/24"
funnetwork_1="172.54.222.0/24"
funnetwork_2="172.112.222.0/24"
vpn="10.2.31.0/24"
public="0.0.0.0/0"

echo "flushing iptables rules"
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

echo "allow all and everything on localhost"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s 127.0.0.0/8 -j DROP



#Port Range 11122
$IPT --append INPUT --match udp --protocol udp --src $somenetwork_1 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $somenetwork_2 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $yetanothernetwork_2 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $yetanothernetwork_1 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $anothernetwork_2 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $anothernetwork_1 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $funnetwork_2 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $funnetwork_1 --sport 11122 --jump ACCEPT
$IPT --append INPUT --match udp --protocol udp --src $vpn --sport 11122 --jump ACCEPT

#Port Range 95000
$IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
$IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

# SSH traffic
$IPT -A INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 22 --jump ACCEPT

#Default SSH Rule
$IPT -A INPUT --match tcp --protocol tcp --src $vpn --sport 22 --jump ACCEPT


echo "Ensuring iptables is enable + saving configuration"
sudo iptables-save


echo "Set default policy to 'DROP'"
$IPT -P INPUT   DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT  ACCEPT


echo "Ensuring iptables is enable + saving configuration"
sudo iptables-save


exit 0

IRJ

I changed IPs and variables names to something random for obvious reasons, but that is cutting connection at the end even though I have explicit allow with ssh connection.

scottalanmiller

That looks out of order. I never use IPT, but doesn't that append the new stuff at the top, not the bottom? So by having the DENY come last, it goes to the top?

dafyre

@IRJ said in iptables deny taking precedence over accept:

#Port Range 95000
$IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
$IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

I'm assuming this is not support to be a correct number... but --sport can't be > 65536.

IRJ

@dafyre said in iptables deny taking precedence over accept:

@IRJ said in iptables deny taking precedence over accept:

#Port Range 95000
$IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
$IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

I'm assuming this is not support to be a correct number... but --sport can't be > 65536.

Yeah I just randomized port numbers. Not actually using that