4

I recently bough new KVM/VPS once I install OpenResty(nginx fork) and run it , my server were not accepting incoming connection on the test port 8080 I manage to solve the issue by adding port 8080 to allowed rules ,

iptables -I INPUT  -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 8080 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

but I still can't understand the default rules that comes with my VPS 

 pkts bytes   target           prot opt in     out     source               destination                              
 361K 1192M ACCEPT             all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60     ACCEPT         all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 464K   70M INPUT_direct       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 464K   70M INPUT_ZONES_SOURCE all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 464K   70M INPUT_ZONES        all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1324 61332 DROP               all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 458K   70M REJECT             all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

specially the last line is it blocks all incoming traffic !

Improve this question

1 Answer 1

Reset to default
5

iptables rules are evaluated top-down. If a packet matches one of the rules, it does what the ACTION of the rule defines. Usually that is REJECT, ACCEPT, DROP, REDIRECT (to a different port) or jump to a CHAIN.

The last rule is just a generic rule that triggers when no previous rule has triggered. Basically it's a "by default, reject anything that doesn't match a previous rule". That is standard and a good practice when implementing firewalls.

The icmp-host-prohibited is just the reject message with whom the packet gets rejected. That means that your server will notify the sender that the packet was rejected with that message.

Note that for a better hardening, it's recommended to DROP messages instead of REJECT them, because the latter may give an attacker some info like for example "this host exists and has rejected your packet", whereas DROP won't provide such information.

Improve this answer
3
  • Great explain , I miss rules order part , +I agree with you about use DROP instead of REJECT specially to block some small attacks ,iptables is great tools but it commands very primitives need some times to tweak it well .Last do you know simple way to receive connection message with command line tools of via some language like (C/PHP)
    – Salem F
    Commented Feb 9, 2019 at 22:16
  • Do you mean capture packets on the machine? If so, you can use a tool like tcpdump or ngrep.
    – nKn
    Commented Feb 11, 2019 at 8:50
  • I mean the reply message form the other machine , e.g if I use curl won't show me that message , I don't know tcpdump .
    – Salem F
    Commented Mar 1, 2019 at 22:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .