I am attempting to setup an Explicit Allow policy on my 20.04 Ubuntu web server. By running the following:
iptables -P INPUT DROP
Also added rules for ssh, http and https. Resulting in the following rule set:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Everything works as expected. However, when attempting to install certbot via snap, or clone a github repo. The connections are blocked. Verified by temporarily allowing all INPUT:
iptables -P INPUT DROP
My question is, how do I go about determining what INPUT rules to create to support those actions? Or any other actions in the future?
I recognize I likely need the port #, but I am just unsure how to determine what that is. Or is it as simple as allowing all INPUT from that source (i.e., https://api.snapcract.io, https://github.com)?
Thanks in advance for your help.
Best Answer
You need to allow for packets that are in response to any outgoing session started by you. This rule is needed:
Where: $EXTIF is your interface name; $UNIVERSE is 0.0.0.0/0 (or just leave it out); $EXTIP is your IP address (which you could leave out also).
To help determine what additional INPUT rules might be needed for proper operation of your server add a logging rule as your last INPUT chain rule before control passes through to your default DROP policy.
Be careful, as it might generate a great many log entries. By default the log entries will be in
/var/log/syslog
and/var/log/kern.log
Additionally, you do not have a local interface ACCEPT rule (unless that is the rule you list without interfaces, use
sudo iptables -xvnL
). You need one (before the above):