I'm new to IPTABLES as I've always had an enterprise level firewall such as Meraki or Sonicwall in front of my devices but I'm giving IPTABLES a shot at ensuring only certain traffic makes it to my web server.

Here's what I've built in my rules so far:


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp spt:www dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www dpt:www
ACCEPT     udp  --  anywhere             anywhere            udp spt:https dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https dpt:https
ACCEPT     tcp  --  localnet/24          anywhere            tcp spt:ssh dpt:ssh
ACCEPT     udp  --  localnet/24          anywhere            udp spt:ssh dpt:ssh
ACCEPT     tcp  --  localnet/24          anywhere            tcp spt:webmin dpt:webmin
ACCEPT     udp  --  localnet/24          anywhere            udp spt:10000 dpt:10000

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

What I am looking to do is the following:

  1. 80 and 443 should be allowed both internally and externally to this server.
  2. SSH and Webmin should only be allowed from the internal local subnet.
  3. Deny all other traffic - I've looked up how to put in a default REJECT rule but as soon as I do that, I lose connection to my box internally and externally and have to go hook up a K/V to it and remove that rule.

What am I missing? And is my configuration wrong?

Thanks in advance!

    The part that I don't get is why you're specifying the source port as being the same as the destination port. In 99% of cases, this won't be true.

    For example, clients connecting to your webserver on port 80 are probably going to be sending from some random, high-numbered port (e.g. 49152 or above).

      So for the web technologies, 80 and 443, I should just specify the destination ports? And leave the source ports blank?

        Yes, because you don't know what the source port will be. And besides, why does it matter what the source port is?

        EDIT: Same goes for any of those rules, really. This isn't anything inherent to just "web technologies" - it's how TCP/IP networking is done in general.

          I guess it doesn't... like I said, I'm new to using IPTABLES so I'm reading through documentation and trying things as I go. Thanks.

            Another thing to notice is that your rules are all pointless. 🙂

            You don't have any DROP rules that explicitly drop packets, so even if a given packet didn't match any of those rules, it would still hit the default policy of ACCEPT and thus be allowed. As such, I would expect you to either a) define some rules that DROP unwanted packets, or b) change the default target of the INPUT chain to be DROP rather than ACCEPT (which would turn the rules into a whitelist rather than a blacklist).

              Another oddity I see is all of those UDP entries. Why are they there? None of the services you've got there so far use UDP, so opening up those ports doesn't really make any sense.

                I know they're "pointless" =\ . As I mentioned, whenever I try to added a DROP rule I lose all access to my box and have to go to console to restore access. I tried using the tutorial at https://help.ubuntu.com/community/IptablesHowTo under Blocking Traffic but always ended up with the same result.

                Because HTTP itself is a UDP protocol as it's a best-effort delivery mechanism. If I don't have to open the UDP ports along with the TCP I wont. Normally in the Firewalls I'm familiar with I always choose "Both" from their GUI.

                  rsmith;10999916 wrote:

                  whenever I try to added a DROP rule I lose all access to my box and have to go to console to restore access.

                  You shouldn't need to add any rules - you just need to change the default target policy of the INPUT chain to be DROP rather than ACCEPT, e.g.:

                  iptables -P INPUT DROP
                  rsmith;10999916 wrote:

                  Because HTTP itself is a UDP protocol as it's a best-effort delivery mechanism.

                  No, it is not. The HTTP(S) protocol is a TCP-based protocol and has no UDP port components.

                    I'll modify the policy to have the default rule be to DROP like you mentioned and let you know how it goes.

                    Thanks again.

                      Thanks Brad. Your advise to turn it into a whitelist works much easier. Much appreciated.

                        Write a Reply...