Portal Home > Knowledgebase > Articles Database > connection state ESTABLISHED,RELATED is not working in my iptaables...?
connection state ESTABLISHED,RELATED is not working in my iptaables...?
| Posted by samiram, 11-13-2008, 07:56 PM |
| connection state ESTABLISHED,RELATED is not working in my iptaables...?
Accept If input interface is lo
Accept If state of connection is ESTABLISHED,RELATED
Drop If protocol is ICMP
Accept If protocol is TCP and destination port is 80
Accept If protocol is TCP and destination port is 99
Accept If protocol is TCP and destination port is 25
Accept If protocol is TCP and destination port is 110
Accept If protocol is TCP and destination port is 10000
Accept If protocol is TCP and destination port is 21
Accept If protocol is TCP and destination port is 30000:30500
Accept If protocol is UDP and destination port is 53
Accept If protocol is UDP and source port is 53
Accept If protocol is TCP and destination port is 445
Accept If protocol is TCP and destination port is 2390
this in my Incoming packets rules..
Outgoing packets are all accepted..
so if i made connection from the server the input rules shuld accept them because it is established and related connection.. But it wont work.. any ideas about it..?
my vps is running on cent os 5.2 final..
and the control panel is webmin.
|
| Posted by vapetrov, 11-13-2008, 08:20 PM |
| Show please output of
iptables -L -n
__________________
Private remote administrator of Linux servers - www.petrov.ks.ua
Quality hosting - Host-Web-Site.com
|
| Posted by samiram, 11-13-2008, 08:55 PM |
| Quote:
Originally Posted by vapetrov
Show please output of
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:99
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2390
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
| Posted by SysAdminMan, 11-13-2008, 10:56 PM |
| When you say " ...connection from the server ..." what is it you're trying to connect to?
And what IP address are you using 127.0.0.1 or a public address?
RELATED,ESTABLISHED is referring to connections that have been initiated already rather than the fact that the connection is coming from the server
__________________sysadminman Server Administration - http://sysadminman.netUK based VOIP virtual servers
|
| Posted by XH-manojR, 11-13-2008, 11:02 PM |
| I got bit confused about your query.
Could your please explain it in more detail.
That could help WHTers to solve the issue for you.
regards,
manojR
|
| Posted by samiram, 11-14-2008, 06:11 AM |
| sorry if what im telling is not clear..
lets say im trying to send a mail using smtp to a outside server..
normally when i put ESTABLISHED,RELATED rule on input chain the smtp connections work fine and mail will sent to other outside server without a problem..
but now it wont work. Even i tried telneting the outside servers port 25 but it didnt work..
but after i put a rule like accept source port 25 connections in incoming chain its working...
thats a small example of the problem im having..
if you need further info please tell me because im really stuck in here and dont have a clue to what to do..
|
| Posted by SysAdminMan, 11-14-2008, 11:32 AM |
| Is this just for port 25 that it's not working? Is the server at home?
At lot of ISPs block outbound connections on port 25 to stop you running mail servers.
__________________sysadminman Server Administration - http://sysadminman.netUK based VOIP virtual servers
|
| Posted by samiram, 11-14-2008, 12:29 PM |
| Quote:
Originally Posted by bucasia
Is this just for port 25 that it's not working? Is the server at home?
At lot of ISPs block outbound connections on port 25 to stop you running mail servers.
no its a vps..
i have two of them with different providers..
one is working with this and other wont..
i tried by using the same rules from the working one..
but didnt help...
|
| Posted by vapetrov, 11-14-2008, 01:20 PM |
| Quote:
Originally Posted by samiram
no its a vps..
i have two of them with different providers..
one is working with this and other wont..
i tried by using the same rules from the working one..
but didnt help...
Seems you need to ask hosting administrator to investigate this issue.
May be connection blocked on physical server level.
Are you able to connect remote hosts if firewall stopped?
Show please output or
iptables-save
ifconfig
route
__________________
Private remote administrator of Linux servers - www.petrov.ks.ua
Quality hosting - Host-Web-Site.com
|
| Posted by samiram, 11-14-2008, 01:32 PM |
| Quote:
Originally Posted by vapetrov
Seems you need to ask hosting administrator to investigate this issue.
May be connection blocked on physical server level.
Are you able to connect remote hosts if firewall stopped?
Show please output or
iptables-save
ifconfig
route
yes i can access them after the firewall is off..
iptables-save -
# Generated by iptables-save v1.3.5 on Fri Nov 14 21:58:52 2008
*mangleREROUTING ACCEPT [5246:545199]
:INPUT ACCEPT [5246:545199]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6323:6267029]OSTROUTING ACCEPT [6323:6267029]
COMMIT
# Completed on Fri Nov 14 21:58:52 2008
# Generated by iptables-save v1.3.5 on Fri Nov 14 21:58:52 2008
*filter
:INPUT DROP [167:18531]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6323:6267029]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 99 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30500 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2390 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 --dport 80 -j ACCEPT
COMMIT
# Completed on Fri Nov 14 21:58:52 2008
ifconfig -
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:229 errors:0 dropped:0 overruns:0 frame:0
TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:118161 (115.3 KiB) TX bytes:118161 (115.3 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:56406 errors:0 dropped:0 overruns:0 frame:0
TX packets:35775 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:69507813 (66.2 MiB) TX bytes:11917631 (11.3 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:216.***.***.*** P-t-P:216.***.***.*** Bcast:216.***.***.*** Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:216.***.***.*** P-t-P:216.***.***.*** Bcast:216.***.***.*** Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
route -
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.0.2.0 * 255.255.255.0 U 0 0 0 venet0
169.254.0.0 * 255.255.0.0 U 0 0 0 venet0
default 192.0.2.1 0.0.0.0 UG 0 0 0 venet0
|
| Posted by WeWatch, 11-16-2008, 09:13 PM |
| Have you tried adding a rule to ACCEPT NEW connections?
Without it, you're accepting ESTABLISHED, RELATED but not NEW.
Otherwise, I think if you move your rule with ESTABLISHED, RELATED to the end, you might be able to connect.
__________________
Thomas J. Raef
WeWatchYourWebsite - so you don't have to!Report: How Cybercriminals Use Your Website to Deliver Their Malware
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
