iptables blocking everything

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
zonathen
Forum User
Forum User
Posts: 56
Joined: Mon Jan 15, 2007 2:03 am

iptables blocking everything

Unread post by zonathen »

Something is changing iptables to block everything, when it's on I can't even ping google from the server. This seems to happen with an autoshun from ASL. Is there a misconfiguration with ASL? how can I figure out what should be in the firewall and stop this from happening?

If I list out what's currently blocked I get:

Code: Select all

iptables -L INPUT -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   536 ASL-WHITELIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    8   536 ASL-WHITELIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    8   536 ASL-ACTIVE-RESPONSE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    8   536 ASL-UPDATES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    8   536 ASL-BLACKLIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    8   536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ASL-TORTIXD-ACL  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 ctstate NEW 
    0     0 ACCEPT     tcp  --  lo     *       0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 ctstate NEW 
    0     0 ASL-GEO-BLACKLIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-TOR    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-OPENPROXIES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-AUTOSHUN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-EMERGING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 ASL-CIARMY  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-ELASSO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-LASSO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ASL-DSHIELD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
    0     0 ASL-Firewall-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
Thanks
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: iptables blocking everything

Unread post by hostingg »

wrong command for outbound, run this instead

iptables -L OUTPUT -v -n
If everything was easy, then the world wouldn't need engineers.
zonathen
Forum User
Forum User
Posts: 56
Joined: Mon Jan 15, 2007 2:03 am

Re: iptables blocking everything

Unread post by zonathen »

Thanks actually both inbound and outbound are being blocked. Here is the output of the outbound:

Code: Select all

iptables -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            80.82.124.228       tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            80.82.124.228       tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.77.16        tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.77.16        tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.64.28        tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.64.28        tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.173.236      tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.173.236      tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.172.195      tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            74.208.172.195      tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            198.71.54.72        tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            198.71.54.72        tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            198.71.51.132       tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            198.71.51.132       tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            173.203.184.213     tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            173.203.184.213     tcp dpt:443 ctstate NEW,RELATED,ESTABLISHED 
    0     0 ASL-UPDATES  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 ctstate NEW 
    0     0 ASL-UPDATES  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 ctstate NEW 
47390 6827K ASL-BLACKLIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
47375 6830K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  131 14312 ASL-GEO-BLACKLIST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  163 18953 ASL-TOR    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  307 39695 ASL-OPENPROXIES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  387 51228 ASL-AUTOSHUN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  487 65668 ASL-EMERGING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  575 82851 ASL-CIARMY  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1287  185K ASL-ELASSO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1335  192K ASL-LASSO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1391  200K ASL-DSHIELD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
    1    60 ASL-SPAMASSASSIN-UPDATES  all  --  *      *       0.0.0.0/0            0.0.0.0/0      
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: iptables blocking everything

Unread post by mikeshinn »

So what I see from that output is that the only rules that youve selected that would block anything outbound are the third party and user custom blacklists. Those rules will also log anything they block (unless logging has been disabled, but the default is to log everything). What events do you see in /var/log/messages when you can not connect outbound?
Post Reply