Portal Home > Knowledgebase > Articles Database > iptables "match" question
iptables "match" question
| Posted by Onur, 03-11-2012, 07:14 PM |
| Hello,
I am trying to secure my server and I found an iptables script.
This script works perfectly, but when I try to modify SSH string to
it doesn't accept connections. Also I cannot make any outgoing connections. I think there is something to do with "-m state" part of the configuration, but I couldn't figure it out.
I want to drop all incoming connections except SSH but allow any outgoing connections. Should I change to
or do anything other than this?
Thanks
|
| Posted by fabin, 03-11-2012, 11:14 PM |
| That will be like
|
| Posted by Onur, 03-12-2012, 07:36 AM |
| Thank you for the information. I forgot to say, I am working in an OpenVZ container. I have set "iptables -P OUTPUT ACCEPT" but it didn't worked, still no outgoing connection but SSH. Can it be a routing problem?
|
| Posted by eenvo, 03-13-2012, 05:48 PM |
| If you're in an OpenVZ container, your ethernet interface probably isn't eth0, so you need to change the "-i eth0" to match your actual interface. Look at the output of "/sbin/ifconfig" and find the interface name that contains your IP; it might look like "venet0", for example, and use that instead of eth0 in your iptables rules. See how that works!
|
| Posted by Onur, 03-13-2012, 06:16 PM |
| Thank you eenvo. That was my first mistake and corrected after my first post.
I have been doing some research on this issue and I have found that OpenVZ does not really "virtualize" the iptables modules if no IPTABLES_MODULES variable is set in vz.conf. After adding the needed modules in vz.conf, it worked like a charm.
The manual of OpenVZ says that OpenVZ kernel "virtualizes" the kernel modules to the containers. In my opinion, this means that there is nothing to do with the IPTABLES_MODULES variable in vz.conf, because if I enable the needed modules at the startup of the HW node, all of them will be virtualized to the containers. Seems working (I will be explaining this below) but, sorry, but that doesn't actually work, or I couldn't make it work. Maybe, somehow, the container is broken or there can be something that I forgot. In any case I couldn't manage to handle it without defining IPTABLES_MODULES variable in vz.conf.
To check the configuration, I have tried ipt_ULOG iptables module. I removed IPTABLES_MODULES variable in vz.conf, loaded all the needed modules at the HW node startup and installed ulogd on the Debian container with no problems (ulogd requires ipt_ULOG loaded before install). But, I was having outgoing connectivity problems even if "venet0" was set in the iptables script.
Then, I have added IPTABLES_MODULES variable in vz.conf and also added ipt_ULOG at the end of several iptables modules. However, I got "Warning, unknown iptables module: ipt_ULOG, skipping" and ulogd didn't work.
Any help, input, comment on this issue will be appreciated.
Last edited by Onur; 03-13-2012 at 06:27 PM.
Reason: typo mistakes
|
Add to Favourites 
Print this Article
Also Read
Westnic (Views: 787)