Allow specific port through iptables

Question

I am new with iptables. I created a script that resets (reset.sh) iptables and other script (ip-chains.sh) creates chains like input output chains. In the same scipr (ip-chains.sh) at the bottom I created a rule just to test to allow incoming and outgoing port 2121 which I am using for FTP.

The problem is when I run reset script I can access FTP server, but when I run ip-chains.sh script I can't. I am confused because I have the rule in the same script file to allow traffic on port 2121.

I am using eth1 to connect to FTP server 192.168.1.0 and eth2 to connect to client machine. Here is my ip-chains.sh scipt:

    #!/bin/bash

#Flush tables and set policies to drop

iptables -F

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Create Logging Chain for accepted packets on INPUT CHAIN

iptables -N accept-input

#Rules for  accept-input chain

iptables -A accept-input -j LOG --log-prefix "INPUT-ACCEPTED "
iptables -A accept-input -j ACCEPT

#Create Logging Chain for dropped packets on INPUT CHAIN

iptables -N drop-input

#Rules for  drop-input chain

iptables -A drop-input -j LOG --log-prefix "INPUT-DROPPED "
iptables -A drop-input -j DROP

#Create Logging Chain for accepted packets on OUTPUT CHAIN

iptables -N accept-output

#Rules for  accept-output chain

iptables -A accept-output -j LOG --log-prefix "OUTPUT-ACCEPTED "
iptables -A accept-output -j ACCEPT

#Create Logging Chain for dropped packets on OUTPUT CHAIN

iptables -N drop-output

#Rules for  drop-output chain

iptables -A drop-output -j LOG --log-prefix "OUTPUT-DROPPED "
iptables -A drop-output -j ACCEPT


#Allow port 2121

iptables -A INPUT -i eth1 -p tcp -s 0/0 --dport 2121 -m state --state NEW,ESTABLISHED,RELATED -j accept-input
iptables -A OUTPUT -o eth1 -p tcp -d 0/0 --sport 2121 -m state --state ESTABLISHED,RELATED -j accept-input

iptables -A INPUT -i eth2 -p tcp -s 0/0 --dport 2121 -m state --state NEW,ESTABLISHED,RELATED -j accept-input
iptables -A OUTPUT -o eth2 -p tcp -d 0/0 --sport 2121 -m state --state ESTABLISHED,RELATED -j accept-input

#Log all DROPPED traffic

iptables -A INPUT -j drop-input
iptables -A OUTPUT -j drop-output

iptables -L -n

andreatsh · Answer 1 · 2016-10-23T20:00:55.877

Be careful, when you flush your rules with iptables -F you flush all your rules, but not your policy! So if you have policy DROP you can easily get locked out of your system!

Usually is safer set policy ACCEPT with a DROP as last rule of the chain. Or while you're working remotely to your firewall set up a cron job to set policy ACCEPT and iptables -F every five or ten minutes; in this way you are sure to have access to your system in any case.

In your script you have iptables -p FORWARD DROP and there are no rules from eth1 to eth2 and viceversa. You have to set iptables -p FORWARD ACCEPT or add some rules to the forward chain to solve your problem, for example:

iptables -A FORWARD -p tcp -i eth1 -o eth2 -s 2121 -d 2121 -j ACCEPT;
iptables -A FORWARD -p tcp -i eth2 -o eth1 -s 2121 -d 2121 -j ACCEPT;

thanks for answer. I would like to know how I would make my firewall work without changing iptables -p FORWARD DROP to iptables -p FORWARD ACCEPT. — John Ambers, Oct 23 '16 at 19:45

score 0 · Answer 2 · answered Oct 23 '16 at 18:52

0

use -v to see where packets have landed...

iptables --list -n -v

answered Oct 23 '16 at 18:52

mikejonesey

2,030

when I run above command: I see few packets dropped and those are from client trying to reach FTP server. – John Ambers Oct 23 '16 at 19:08
try adding;
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
– mikejonesey Oct 23 '16 at 19:47

Allow specific port through iptables

2 Answers2