Ping a Specific Port

Question

Phuong Nguyen

Asked: 2014-12-17 07:25:24 +0800 CST2014-12-17 07:25:24 +0800 CST 2014-12-17 07:25:24 +0800 CST

iptables-restore is creating dangerous rule

772

I'm having this definition file:

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Firewall-INPUT - [0:0]
-A INPUT -j Firewall-INPUT
-A FORWARD -j Firewall-INPUT
-A Firewall-INPUT -i lo -j ACCEPT
-A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

# Ping
-A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Accept any established connections
-A Firewall-INPUT -m conntrack --ctstate  ESTABLISHED,RELATED -j ACCEPT

# Enable the traffic between the nodes of the cluster
-A Firewall-INPUT -s 10.0.1.1 -j ACCEPT

# Allow connections from docker container
-A Firewall-INPUT -i docker0 -j ACCEPT

# Accept ssh, http, https and git
-A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT

# Log and drop everything else
-A Firewall-INPUT -j LOG
-A Firewall-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

I then invoke iptables-restore with these rules:

/sbin/iptables-restore < /tmp/iptables-rules-save

After that, I run iptables -L and get this:

Chain INPUT (policy DROP)
target     prot opt source               destination
Firewall-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
Firewall-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain Firewall-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.1             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            ctstate NEW multiport dports ssh,EtherNet/IP-1,http,https
LOG        all  --  anywhere             anywhere            LOG level warning
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

As you can see it is adding a dangerous rule that accept all packets from any source to any interface on the server.

What is the wrong thing with my setup that lead to that? How to fix it?

P/S: I run this one on a Digital Ocean CentOS 6.5 droplet

1 Answers

Voted

John · Answer 1 · 2014-12-17T08:00:40+08:00

Best Answer

John

2014-12-17T08:00:40+08:002014-12-17T08:00:40+08:00

The default output for iptables -L doesn't show you interfaces, so it doesn't show you the exact rule. Try running iptables -L -v to get the interface included in the output - the destination column is a network address, not an interface. The output with -v will show the exact rules you've created.

4

iptables-restore is creating dangerous rule

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?