iptables issues
Outbound: Accept all
Inbound: Accept SSH, Minecraft, pings, and anything on loopback, reject everything else
I tried the following set of rules to accomplish the above.
#Loopback stuff
-A INPUT -i lo -j ACCEPT
#Accept whatever's already established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#SSH
-A INPUT -p tcp -m state --state NEW --dport 9001 -j ACCEPT
#Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#Minecraft
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25565 -j ACCEPT
#Log fails
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#Reject everything else
-A INPUT -j REJECT
#Outbound
-A OUTPUT -j ACCEPT
I flushed iptables in case any rules were already set, then tried a restore with the above. This fails with: iptables-restore: line 2 failed
I tried commenting that out to see if the error would change, but it just fails on line 5 instead… then 8 if I comment that too. It looks like it won't accept any of these rules.
My webserver (not currently on Linode) uses almost the exact same ruleset, just with web and mail ports open rather than the MC port. Both servers are Ubuntu 10 LTS, both are on iptables 1.4.4. The kernel is different, 2.6.something vs. 3.0.0. I'm not sure if that changes anything major.
I'm probably missing something stupid here, but I can't figure out what. Any help would appreciated.
3 Replies
@Trerro:
I'm trying to set up a simple firewall using iptables. The server in question is purely a Minecraft server, and will be running basically nothing else. This makes the rules I need quite simple:
Can you execute those commands manually one by one with iptables? If not, perhaps it'll give more useful errors?
Or, dumb suggestion, but if you've got Ubuntu 10.04, and are just looking for a basic firewall setup to match your basic minecraft server, how about using ufw. Install ufw, then:
ufw allow to any port 9001
ufw allow to any port 25565
and you should be done. Might need "ufw enable" the first time to activate, I can't remember. It'll have loopback, ping and logging all set up by default.
– David
Or, use ufw and get the job done in three commands (including "ufw enable").
> Can you execute those commands manually one by one with iptables? If not, perhaps it'll give more useful errors?
> Also, iptables-restore only works (reliably) with files generated by iptables-save. You should set things up "on the fly" and then use iptables-save to create the ruleset.
Yep, this was the problem. It worked fine when I line-by-lined it. Thanks.
> Or, dumb suggestion, but if you've got Ubuntu 10.04, and are just looking for a basic firewall setup to match your basic minecraft server, how about using ufw. Install ufw, then:
ufw allow to any port 9001 ufw allow to any port 25565and you should be done. Might need "ufw enable" the first time to activate, I can't remember. It'll have loopback, ping and logging all set up by default.
I actually was considering this (ufw came up when I was Googling for an answer). I wanted to understand why it was failing though, for the sake of learning and slowly becoming less of a newbie.