My current iptable configuration doesn't work [on hold]

Posted by Brad on Server Fault See other posts from Server Fault or by Brad
Published on 2014-05-28T05:03:50Z Indexed on 2014/05/28 9:32 UTC
Read the original article Hit count: 739

Filed under:
sudo chkconfig iptables off
/etc/init.d/iptables on

### Clear/flush iptables
sudo iptables -F 
sudo iptables -P INPUT ACCEPT 
sudo iptables -P OUTPUT ACCEPT 
sudo iptables -P FORWARD ACCEPT

### Allow SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

### Allow YUM updates
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 80 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --dport 443 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT

### Add your rules form the link above, here
# ftp,smtp,imap,http,https,pop3,imaps,pop3s
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --dports 21,25,143,80,443,110,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 21,25,143,80,110,443,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT

## allow dns
sudo iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT && sudo iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# handling pings
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT && sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

sudo iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT && sudo iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# manage ddos attacks
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

## Implement some logging so that we know what's getting dropped
sudo iptables -N LOGGING
sudo iptables -A INPUT -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
sudo iptables -A LOGGING -j DROP

# once a rule affects traffic then it is no longer managed
# so if the traffic has not been accepted, block it
sudo iptables -A INPUT -j DROP
sudo iptables -I INPUT 1 -i lo -j ACCEPT
sudo iptables -A OUTPUT -j DROP

# allow only internal port forwarding
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
sudo iptables -P FORWARD DROP

# create an iptables config file
sudo iptables-save > /root/dsl.fw

### Append the following to the rc.local file
sudo nano /etc/rc.local
####---
/sbin/iptables-restore < sudo /root/dsl.fw
####---

/etc/init.d/iptables save
## check to see if this setting is working great.
sudo service iptables restart
## log out/in testing
sudo chkconfig iptables on

What is the problem with this setup?
If I restart the server it doesn't allow me back in SSH, and there may be a problem with Yum

Original source of information: https://gist.github.com/Jonathonbyrd/1274837#file-instructions

© Server Fault or respective owner

Related posts about iptables