Ping a Specific Port

Question

Steve

Asked: 2013-02-28 04:32:37 +0800 CST2013-02-28 04:32:37 +0800 CST 2013-02-28 04:32:37 +0800 CST

iptables TCP handshake on Centos 6.0

772

Here's my iptables script:

#!/bin/sh
service iptables stop
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
service iptables save
service iptables restart

It works fine on Centos 6.3, but on Centos 6.0 I can't establish outbound HTTP connections. (I probably can't establish any outbound TCP/IP connections.) DNS lookup, however, works just fine, as does apparently anything else based on UDP.

I'm guessing this has something to do with TCP's three-way handshake, of which I know almost nothing. That being the case, there must be a difference in the versions of one of the modules where the earlier version requires explicit specification of INPUT rules to allow the handshake. So, what rule(s) would I need to create to allow the TCP handshake and therefore receive data?

2 Answers

Voted

Olipro · Answer 1 · 2013-02-28T05:10:29+08:00

Olipro

2013-02-28T05:10:29+08:002013-02-28T05:10:29+08:00

Your system will initiate connections from ephemeral ports.

Generally speaking, don't try and be smarter than netfilter's conntrack.

the first rule in any decent ruleset should be iptables -m conntrack --ctstate ESTABLISHED -j ACCEPT (only use -m state if your distro lacks -m conntrack) - doing this will enable your system initiate outbound connections and successfully receive the replies.

Additionally, to save resources, iptables -t raw -A PREROUTING -i lo -j CT --notrack (or -j NOTRACK) and iptables -t raw -A OUTPUT -o lo -j CT --notrack along with appropriate rules in the INPUT and OUTPUT chains to allow --ctstate UNTRACKED will save unnecessarily consuming conntrack resources on loopback connections.

1

Steve · Answer 2 · 2013-02-28T05:36:18+08:00

Steve

2013-02-28T05:36:18+08:002013-02-28T05:36:18+08:00

This works (see comments):

#!/bin/sh
service iptables stop
iptables -F

# Unlike the script in the question, incoming TCP packets are allowed in by default.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow all loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow incoming SSH, HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow DNS responses
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

# This is new: Drop all incoming TCP packets with the SYN bit set.
iptables -A INPUT -p tcp --syn -m state --state NEW -j DROP

service iptables save
service iptables restart

I tested this quite thoroughly with netcat.

0

iptables TCP handshake on Centos 6.0

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?