[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables example for mail/web/opevpn server

> ## flush old rules
> iptables -F
> # rules
> iptables -t filter -A INPUT -i venet0 -d your_public_ip \
> -p tcp --sport 1024: -m multiport  --dports 80,443,25,587 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -t filter -A INPUT -i venet0 -d your_ip \
> -p udp --sport 1024: --dport 1194 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> # default policy
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT DROP   
> ##

I think your script lacks the rule that accepts return packets.
Something along the lines of

  iptables -I INPUT -m state --state ESTABLISHED,RELATED -J ACCEPT

Without this rule, return packets will be dropped and the server will be
unable to establish connections. Also note the RELATED, which will accept
ICMP notifications. You need those.

I also recommend accepting ICMP echo requests:

  iptables -A INPUT -p icmp --icmp-type 8 -J ACCEPT

Reply to: