iptables输入，输出规则

Question

I need help with this iptables rules. I don't understand why is needed INPUT rule for port 8080

server with public ip 123.123.123.123

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

iptables -I INPUT 1 -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 8080 -s 123.123.123.123 -j ACCEPT

when I disable INPUT rule pro 8080, firewall will block port 8080

when SERVER try open GET 123.123.123.123:8080 fails! (responce timeout) why?

why it didn't enable rule ESTABLISHED,RELATED ???

Answer 1

iptables -I INPUT 1 -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

^ this works for connections that already are established, so id doesn't catch any new connections.

iptables -A INPUT -p tcp --dport 8080 -s 123.123.123.123 -j ACCEPT

^ and this one catch anything what's trying to send TCP packets to 123.123.123.123:8080 and accepts it. If you can't connect to that service when this entry is not present is because there can be something furthermore in your chain which catch the trafic and makes -j REJECT or -j DROP

...or you have REJECT or DROP policy on this chain.

check iptables -L INPUT to check that and iptables -P INPUT ACCEPT to change it.

One easy way to check what is going on on your chain is to check iptables -L -n -v . The verbose parameter will give you amount of pkts and bytes for every rule so watching it you can figure out if your rule is catching anything.

Answer 2

thanks, solution is not to enable INPUT ACCEPT

but add enabletion for all connection from server to self

iptables -I INPUT 2 -p all -m state --state NEW -s 123.123.123.123 -j ACCEPT

I didn't reliaze that new connection from server is valid (OUTPUT is enabled) but firewall then get's NEW connection to INPUT ... that's not enabled by default