In my CentOS 6 i added a IPtables rules like DROP all the policy like

iptables -P INPUT DROP

Then I allow Port NO 22,80,443 with this command,

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.

  • You allow incoming traffic to local ports 80, 443, 22 but are you allowing the return traffic from your outgoing connections (which are different from what you show) back in? (You need a rule similar to iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT for this. In most situations that should be among the first rules in the chain.)
In order to diagnose this accurately we would need to see your IPTables rules - which you can provide using 'iptables -vnL'

IPTables rules are order specific.

Most likely you have a "DENY" rule before the -A rules you just added. I'm pretty sure that by default Redhat/CentOS allow port 22 in the default configuration, but not the other ports - which is why SSH is working. You can easily test this theory by modifying "-A INPUT" to "-I INPUT". The -I inserts the rules at the beginning of the filter, the -A is at the end.

Again, Using iptables -vnL will show you the counters and, if you have a controlled environment it can assist you in working out which rule is hitting which packet.


First we can't see all your rules, but you need this one for sure.

iptables -I INPUT 1 -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED


If i assume in the your iptables you have following rules:

    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

and default policy you have set for INPUT chain :

iptables -P INPUT DROP

By default policy it means you have told the kernel to drop all the packets which are not allowed explicit via other rules. So either you change the default policy or add additinal line to allow

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

It will allow any further connection related/established over port 22,443 and 80.

  • Other than ports 443 and 80, you would also like open ports for DNS to resolve the address. Commented May 17, 2022 at 9:55

