Centos – Iptables rule to allow only one port and block others

centosfirewalliptablesnetstat

We have two apps running (on top of linux) and both communicates through port 42605. I wanted to quickly verify if this is the only port that's been used for communication between them. I tried below rule, but it doesn't seems to work. So, just wanted to get this clarified, if I am doing it wrong.

Following is the sequence of commands i ran

iptables -I INPUT -j REJECT
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I OUTPUT -p tcp --dport 42605 -j ACCEPT

So, this will get added in reverse order since I am inserting it.

I wanted to allow incoming and outgoing communications from and to 42605. Does the above rule looks good or am I doing it wrong?

Another question, would this be the right way to test, or maybe I should use "netstat" command to see which port has connection established with the other ip?

Best Answer

We can make INPUT policy drop to block everything and allow specific ports only

# allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
# allow SSH 
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow localhost 
iptables -A INPUT -i lo -j ACCEPT
# block everything else 
iptables -A INPUT -j DROP

Another question, would this be the right way to test, or maybe I should use "netstat" command to see which port has connection established with the other ip?

Yes, you can check netstat -antop | grep app_port and you can also use strace :

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known pid:

strace -p $( pgrep application_name) -f -e trace=network -s 10000

Related Solutions

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

To cut a long story short, that ACK was sent when the socket didn't belong to anybody. Instead of allowing packets that pertain to a socket that belongs to user x, allow packets that pertain to a connection that was initiated by a socket from user x.

The longer story.

To understand the issue, it helps to understand how wget and HTTP requests work in general.

wget http://cachefly.cachefly.net/10mb.test

wget establishes a TCP connection to cachefly.cachefly.net, and once established sends a request in the HTTP protocol that says: "Please send me the content of /10mb.test (GET /10mb.test HTTP/1.1) and by the way, could you please not close the connection after you're done (Connection: Keep-alive). The reason it does that is because in case the server replies with a redirection for a URL on the same IP address, it can reuse the connection.

Now the server can reply with either, "here comes the data you requested, beware it's 10MB large (Content-Length: 10485760), and yes OK, I'll leave the connection open". Or if it doesn't know the size of the data, "Here's the data, sorry I can't leave the connection open but I'll tell when you can stop downloading the data by closing my end of the connection".

In the URL above, we're in the first case.

So, as soon as wget has obtained the headers for the response, it knows its job is done once it has downloaded 10MB of data.

Basically, what wget does is read the data until 10MB have been received and exit. But at that point, there's more to be done. What about the server? It's been told to leave the connection open.

Before exiting, wget closes (close system call) the file descriptor for the socket. Upon, the close, the system finishes acknowledging the data sent by the server and sends a FIN to say: "I won't be sending any more data". At that point close returns and wget exits. There is no socket associated to the TCP connection anymore (at least not one owned by any user). However it's not finished yet. Upon receiving that FIN, the HTTP server sees end-of-file when reading the next request from the client. In HTTP, that means "no more request, I'll close my end". So it sends its FIN as well, to say, "I won't be sending anything either, that connection is going away".

Upon receiving that FIN, the client sends a "ACK". But, at that point, wget is long gone, so that ACK is not from any user. Which is why it is blocked by your firewall. Because the server doesn't receive the ACK, it's going to send the FIN over and over until it gives up and you'll see more dropped ACKs. That also means that by dropping those ACKs, you're needlessly using resources of the server (which needs to maintain a socket in the LAST-ACK state) for quite some time.

The behavior would have been different if the client had not requested "Keep-alive" or the server had not replied with "Keep-alive".

As already mentioned, if you're using the connection tracker, what you want to do is let every packet in the ESTABLISHED and RELATED states through and only worry about NEW packets.

If you allow NEW packets from user x but not packets from user y, then other packets for established connections by user x will go through, and because there can't be established connections by user y (since we're blocking the NEW packets that would establish the connection), there will not be any packet for user y connections going through.

Linux – iptables will match the following ICMP request packet as ESTABLISHED state after the first reply packet is sent

As you suggest, connection tracking obviously records your ICMP "session" and thus it considers the packets to be in ESTABLISHED state once a ping-pong roundtrip has been executed.

To achieve your goal of throttling ICMP requests you move the "drop all other ICMP" rule (third rule in your screenshot) just below the rule that accepts echo requests with rate limiting. This way the ESTABLISHED rule will not get considered for ICMP packets.

However since ICMP packets are also used to communicate various problems, I strongly recommend you add a rule accepting all icmp packets with a type other than "echo-request" to make sure you don't get problems with for example TCP connections (as an example, "Connection refused" is communicated using ICMP). The rule I suggest is:

iptables -A INPUT -p icmp ! --icmp-type echo-request -j ACCEPT

and put it right below your rate limiting rule accepting ECHO requests and just above the "drop all other ICMP" rule.

Best Answer

Related Solutions

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

Linux – iptables will match the following ICMP request packet as ESTABLISHED state after the first reply packet is sent

Related Question