ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    iptables deny taking precedence over accept

    Scheduled Pinned Locked Moved IT Discussion
    7 Posts 3 Posters 193 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJI
      IRJ
      last edited by

      I am trying to set rules in iptables . I script the rules all set to accept, however when I apply a rule to deny as default. The accept rules no longer work.

      How can I set priority to make sure accept rules are processed before deny?

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        They should execute in order, make sure the deny is below the accept rule.

        1 Reply Last reply Reply Quote 0
        • IRJI
          IRJ
          last edited by IRJ

          IPT="/sbin/iptables"
          
          # IP Ranges
          somenetwork_1="172.34.344.0/24"
          somenetwork_2="172.11.44.0/24"
          anothernetwork_1="172.189.33.0/24"
          anothernetwork_2="172.189.133.0/24"
          yetanothernetwork_1="172.51.222.0/24"
          yetanothernetwork_2="172.11.222.0/24"
          funnetwork_1="172.54.222.0/24"
          funnetwork_2="172.112.222.0/24"
          vpn="10.2.31.0/24"
          public="0.0.0.0/0"
          
          echo "flushing iptables rules"
          $IPT -F
          $IPT -X
          $IPT -t nat -F
          $IPT -t nat -X
          $IPT -t mangle -F
          $IPT -t mangle -X
          
          echo "allow all and everything on localhost"
          $IPT -A INPUT -i lo -j ACCEPT
          $IPT -A OUTPUT -o lo -j ACCEPT
          $IPT -A INPUT -s 127.0.0.0/8 -j DROP
          
          
          
          #Port Range 11122
          $IPT --append INPUT --match udp --protocol udp --src $somenetwork_1 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $somenetwork_2 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $yetanothernetwork_2 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $yetanothernetwork_1 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $anothernetwork_2 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $anothernetwork_1 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $funnetwork_2 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $funnetwork_1 --sport 11122 --jump ACCEPT
          $IPT --append INPUT --match udp --protocol udp --src $vpn --sport 11122 --jump ACCEPT
          
          #Port Range 95000
          $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
          $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT
          
          # SSH traffic
          $IPT -A INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 22 --jump ACCEPT
          
          #Default SSH Rule
          $IPT -A INPUT --match tcp --protocol tcp --src $vpn --sport 22 --jump ACCEPT
          
          
          echo "Ensuring iptables is enable + saving configuration"
          sudo iptables-save
          
          
          echo "Set default policy to 'DROP'"
          $IPT -P INPUT   DROP
          $IPT -P FORWARD DROP
          $IPT -P OUTPUT  ACCEPT
          
          
          echo "Ensuring iptables is enable + saving configuration"
          sudo iptables-save
          
          
          exit 0
          
          dafyreD 1 Reply Last reply Reply Quote 0
          • IRJI
            IRJ
            last edited by

            I changed IPs and variables names to something random for obvious reasons, but that is cutting connection at the end even though I have explicit allow with ssh connection.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller
              last edited by

              That looks out of order. I never use IPT, but doesn't that append the new stuff at the top, not the bottom? So by having the DENY come last, it goes to the top?

              1 Reply Last reply Reply Quote 0
              • dafyreD
                dafyre @IRJ
                last edited by

                @IRJ said in iptables deny taking precedence over accept:

                #Port Range 95000
                $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
                $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

                I'm assuming this is not support to be a correct number... but --sport can't be > 65536.

                IRJI 1 Reply Last reply Reply Quote 0
                • IRJI
                  IRJ @dafyre
                  last edited by

                  @dafyre said in iptables deny taking precedence over accept:

                  @IRJ said in iptables deny taking precedence over accept:

                  #Port Range 95000
                  $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_1 --sport 95000 --jump ACCEPT
                  $IPT --append INPUT --match tcp --protocol tcp --src $somenetwork_2 --sport 95000 --jump ACCEPT

                  I'm assuming this is not support to be a correct number... but --sport can't be > 65536.

                  Yeah I just randomized port numbers. Not actually using that

                  1 Reply Last reply Reply Quote 0
                  • 1 / 1
                  • First post
                    Last post