Re: Iptables example for mail/web/opevpn server

To: debian-firewall@lists.debian.org
Subject: Re: Iptables example for mail/web/opevpn server
From: Stephan Balmer <sb@cis.ch>
Date: Wed, 15 Feb 2012 21:24:01 +0100
Message-id: <[🔎] 20120215202401.GA16699@lia.ch>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-a1A_16cgNdUmSw@mail.gmail.com>
References: <[🔎] 1329318511.7003.7.camel@osmosis.gnet.eu> <[🔎] CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-a1A_16cgNdUmSw@mail.gmail.com>

> ## flush old rules
> iptables -F
> # rules
> iptables -t filter -A INPUT -i venet0 -d your_public_ip \
> -p tcp --sport 1024: -m multiport  --dports 80,443,25,587 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -t filter -A INPUT -i venet0 -d your_ip \
> -p udp --sport 1024: --dport 1194 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> # default policy
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT DROP   
> ##

I think your script lacks the rule that accepts return packets.
Something along the lines of

  iptables -I INPUT -m state --state ESTABLISHED,RELATED -J ACCEPT

Without this rule, return packets will be dropped and the server will be
unable to establish connections. Also note the RELATED, which will accept
ICMP notifications. You need those.

I also recommend accepting ICMP echo requests:

  iptables -A INPUT -p icmp --icmp-type 8 -J ACCEPT

Reply to:

References:
- Iptables example for mail/web/opevpn server
  - From: Raven <raven@vp44.net>
- Re: Iptables example for mail/web/opevpn server
  - From: Arturo Borrero Gonzalez <cer.inet@linuxmail.org>

Prev by Date: Re: Iptables example for mail/web/opevpn server
Next by Date: Re: Iptables example for mail/web/opevpn server
Previous by thread: Re: Iptables example for mail/web/opevpn server
Next by thread: Re: Iptables example for mail/web/opevpn server
Index(es):
- Date
- Thread