I am trying to setup firewall rules on a RHEL webserver, so that my webserver can serve up web pages and at the same time download remote files using curl/wget. Problem I am experiencing is I can only do one or the other. I’ve tried tweaking my iptables settings and I isolated the problem to be with outbound packets cause if I enable all outgoing, it works just fine.
This is what I am using:
iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp -m multiport --sports 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Could it be something to do with ESTABLISHED,RELATED in my OUTPUT rule for http/https?
You prettly clearly dropped all your output packets that don’t match any of the rules:
iptables -P OUTPUT DROP
And at the same time you didn’t accept any packets that constitute new connections and instead all your rules operate only on established connections that can never actually be established:
iptables -A OUTPUT ... -m state --state ESTABLISHED,RELATED ...
Please read the manual page for
iptables and especially the part describing
-m state. Then you won’t create firewalls that explicitly block your new outgoing connections and then be surprised that your outgoing connections are being blocked.
I, personally, don’t think it’s a good idea to use the
DROP policy on
OUTPUT chains and I don’t care about its usage on the
FORWARD chain. I always use explicit REJECT/DROP rules at the and of the chain.
REJECT is usually better for the beginning as it doesn’t introduce lags and timeouts.
The best solution for you is probably to switch the
OUTPUT policy back to
ACCEPT and remove the