Hello, I've got a Linode vps. It is running a new installation of Fedora 17. I'm a new Fedora 17 user, but have used other Rpm distros in the past, though the switch to systemctl threw me for a loop. I'm having an issue with both iptables and ip6tables not allowing incoming connections to running services. I have httpd running on this machine, ssh-ing in to the box itself, I can telnet localhost 80 both ipv4 and ipv6 and it will connect. External telnetting hangs as if I have no running service. An nmap scan from an external host does not show port 80 at all, not open, not filtered, not there whatsoever. A netstat on the box as well as a ps on the box both confirm that the httpd daemon is started and listening. If I turn off iptables and then do the nmap scan port 80 shows up as being open, telnetting also works. This is also true when turning off ip6tables. I have pasted below my /etc/sysconfig/iptables and /etc/sysconfig/ip6tables as well as the two scripts I used to make them. These scripts and the firewall did work previously on a rhel box. I'd appreciate any suggestions, I want a firewall working on this box. Thanks. Dave. # Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013 *security :INPUT ACCEPT [310022:318693688] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [164768:7899587] COMMIT # Completed on Sun Feb 17 14:37:29 2013 # Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013 *raw :PREROUTING ACCEPT [310149:318700172] :OUTPUT ACCEPT [164768:7899587] COMMIT # Completed on Sun Feb 17 14:37:29 2013 # Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013 *nat :PREROUTING ACCEPT [132:6736] :INPUT ACCEPT [8:380] :OUTPUT ACCEPT [75:6221] :POSTROUTING ACCEPT [75:6221] COMMIT # Completed on Sun Feb 17 14:37:29 2013 # Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013 *mangle :PREROUTING ACCEPT [310149:318700172] :INPUT ACCEPT [310149:318700172] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [164768:7899587] :POSTROUTING ACCEPT [164768:7899587] COMMIT # Completed on Sun Feb 17 14:37:29 2013 # Generated by iptables-save v1.4.14 on Sun Feb 17 14:37:29 2013 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :TCP - [0:0] :UDP - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A TCP -p tcp -m tcp --dport 25 -j ACCEPT -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT -A TCP -p tcp -m tcp --dport 587 -j ACCEPT -A TCP -p tcp -m tcp --dport 993 -j ACCEPT COMMIT # Completed on Sun Feb 17 14:37:29 2013 # Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013 *nat :PREROUTING ACCEPT [21:1680] :INPUT ACCEPT [21:1680] :OUTPUT ACCEPT [2:160] :POSTROUTING ACCEPT [2:160] COMMIT # Completed on Sun Feb 17 22:08:15 2013 # Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013 *security :INPUT ACCEPT [440:43192] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [93:6508] COMMIT # Completed on Sun Feb 17 22:08:15 2013 # Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013 *raw :PREROUTING ACCEPT [440:43192] :OUTPUT ACCEPT [93:6508] COMMIT # Completed on Sun Feb 17 22:08:15 2013 # Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013 *mangle :PREROUTING ACCEPT [440:43192] :INPUT ACCEPT [440:43192] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [93:6508] :POSTROUTING ACCEPT [93:6508] COMMIT # Completed on Sun Feb 17 22:08:15 2013 # Generated by ip6tables-save v1.4.14 on Sun Feb 17 22:08:15 2013 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :TCP - [0:0] :UDP - [0:0] -A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable -A INPUT -p tcp -j REJECT --reject-with icmp6-port-unreachable -A INPUT -j REJECT --reject-with icmp6-port-unreachable -A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP -A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A TCP -p tcp -m tcp --dport 25 -j ACCEPT -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -A TCP -p tcp -m tcp --dport 443 -j ACCEPT -A TCP -p tcp -m tcp --dport 587 -j ACCEPT -A TCP -p tcp -m tcp --dport 993 -j ACCEPT COMMIT # Completed on Sun Feb 17 22:08:15 2013 #!/bin/bash # # First set up the UDP and TCP chains: iptables -N TCP iptables -N UDP # Since we're not a nat box or router set the FORWARD chain to DROP: iptables -P FORWARD DROP # Set the OUTPUT chain to ACCEPT: iptables -P OUTPUT ACCEPT # Set the INPUT chain to DROP: iptables -P INPUT DROP # Set a rule for established connections or returning icmp messages: iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Let everything through on loopback: iptables -A INPUT -i lo -j ACCEPT # Stop out of sequence or invalid packets: iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # Accept ping: iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT #iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # Append the open chain and accept or reject packets: iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP # Reject connections with port unreachable or tcp rst: iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst # Reject anything else with icmp unreachable: iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable # Now open ports for services: iptables -A TCP -p tcp --dport 22 -j ACCEPT iptables -A TCP -p tcp --dport 25 -j ACCEPT iptables -A TCP -p tcp --dport 80 -j ACCEPT iptables -A TCP -p tcp --dport 443 -j ACCEPT iptables -A TCP -p tcp --dport 587 -j ACCEPT iptables -A TCP -p tcp --dport 993 -j ACCEPT # # Save settings # /usr/libexec/iptables.init save # # List rules # iptables -L -v #!/bin/bash # # First set up the UDP and TCP chains: ip6tables -N TCP ip6tables -N UDP # Since we're not a nat box or router set the FORWARD chain to DROP: ip6tables -P FORWARD DROP # Set the OUTPUT chain to ACCEPT: ip6tables -P OUTPUT ACCEPT # Set the INPUT chain to DROP: ip6tables -P INPUT DROP # Disable processing of any RH0 packet # Which could allow a ping-pong of packets ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP # Set a rule for established connections or returning icmp messages: ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Let everything through on loopback: ip6tables -A INPUT -i lo -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -d ff00::/8 -j ACCEPT ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT # Stop out of sequence or invalid packets: ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP # Accept ping: ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ACCEPT #ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ACCEPT # Append the open chain and accept or reject packets: ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP # Reject connections with port unreachable or tcp rst: ip6tables -A INPUT -p udp -j REJECT ip6tables -A INPUT -p tcp -j REJECT # Reject anything else with icmp unreachable: ip6tables -A INPUT -j REJECT # Now open ports for services: ip6tables -A TCP -p tcp --dport 22 -j ACCEPT ip6tables -A TCP -p tcp --dport 25 -j ACCEPT ip6tables -A TCP -p tcp --dport 80 -j ACCEPT ip6tables -A TCP -p tcp --dport 443 -j ACCEPT ip6tables -A TCP -p tcp --dport 587 -j ACCEPT ip6tables -A TCP -p tcp --dport 993 -j ACCEPT # # Save settings # /usr/libexec/ip6tables.init save # # List rules # ip6tables -L -v -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
