We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

iptables vps classic 1 DNS nie działa a ssh tak


unreal
13-02-2015, 21:04
I magiczne rozwiązanie sieć lokalna.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

I działa.

unreal
13-02-2015, 16:55
Witam,

Dlaczego dns mi nie działa a ssh tak ? Gdzie popełniłem błąd ? Wszystko wydaje mi się że jest dobrze.
Kod:
root@vpsxxxx:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain state NEW
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
root@vpsxxxxx:~#
Kod:
#!/bin/sh
### BEGIN INIT INFO
# Provides:          ip-fr-rule.sh
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFOi


iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# SPIS PORTOW
#
# 80 www
# 110 POP3
# 9000 PHP
# 21 FTP
# 22 ssh
# 25 smtp
# 53 dns
# 143 imap
# 443 https
# 23 telnet
# 3306 mysql
#
#

#INPUT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53  -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW  -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW  -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Przy skanowaniu nmap widać otwarty port 53. A po zmianie wszystkiego prócz ssh na --dport w środku serwera działa pobieranie po dns( czyli np apt-get update) a CloudFLare dalej nie widzi serwera. A jak wyłączę całkiem firewal to widzi wiec problem na pewno jest w nim.