IPtables preventing outgoing packets

By Posted on

Problem :

I am trying to setup firewall rules on a RHEL webserver, so that my webserver can serve up web pages and at the same time download remote files using curl/wget. Problem I am experiencing is I can only do one or the other. I’ve tried tweaking my iptables settings and I isolated the problem to be with outbound packets cause if I enable all outgoing, it works just fine.

This is what I am using:

iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP
iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --sports 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Could it be something to do with ESTABLISHED,RELATED in my OUTPUT rule for http/https?

Solution :

You prettly clearly dropped all your output packets that don’t match any of the rules:

iptables -P OUTPUT DROP

And at the same time you didn’t accept any packets that constitute new connections and instead all your rules operate only on established connections that can never actually be established:

iptables -A OUTPUT ... -m state --state ESTABLISHED,RELATED ...

Please read the manual page for iptables and especially the part describing -m state. Then you won’t create firewalls that explicitly block your new outgoing connections and then be surprised that your outgoing connections are being blocked.

I, personally, don’t think it’s a good idea to use the DROP policy on INPUT and OUTPUT chains and I don’t care about its usage on the FORWARD chain. I always use explicit REJECT/DROP rules at the and of the chain. REJECT is usually better for the beginning as it doesn’t introduce lags and timeouts.

The best solution for you is probably to switch the OUTPUT policy back to ACCEPT and remove the OUTPUT rules.

Leave a Reply

Your email address will not be published. Required fields are marked *