How to configure IPtables proprely on Kloxo MR?

[lenawaii]

Hi there,

I want to secure my VPS with IPtables and I have an issue to apply the firewall rules. Before that I wanted to be sure about the open ports on Kloxo MR, so I installed nmap and with the command # nmap localhost, i get the list below :

--------------------

Starting Nmap 5.51 ( http://nmap.org ) at 2015-03-05 10:20 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 988 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

--------------------

To create all my firewall rules, i create an executable file /etc/sysconfig/iptables with the content below :

--------------------

#!/bin/sh

# Vider les tables actuelles + personnelles
iptables -t filter -F
iptables -t filter -X
echo "Clear rules : OK"

# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo "Block all connections : OK"

# SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
echo "SYN-Flood Protection : OK"

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Established connections : OK"

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo "Loopback : OK"

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# SSH In/Out
iptables -t filter -A INPUT -p tcp --dport 6490 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 6490 -j ACCEPT
echo "SSH : OK"

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo "DNS : OK"

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : OK

# HTTP + HTTPS Out/In
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo "HTTP/HTTPS : OK"

# FTP Out/In
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "FTP : OK"

# Mail SMTP/SMTPS
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 456 -j ACCEPT
echo "SMTP/SMTPS : OK"

# Mail Submission
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
echo "Submission : OK"

# Mail POP3/POP3S
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
echo "POP/POP3S : OK"

# Mail IMAP/IMAPS
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
echo "IMAP/IMAPS : OK"

# MySQL
iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
echo "MySQL : OK"

# Kloxo
iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT
echo "Kloxo : OK"

--------------------

The problem is when i want to apply my rules with the command #/etc/init.d/iptables start, I want the error below:

iptables: Applying firewall rules: iptables-restore: line 4 failed  [FAILED]

I've tried to resolve it by myself but no way. I'll appreciate any help, thanks.

[lenawaii]

Well, I found the solution by myself. In fact, I needed to delete iptables wrong file, add all the command lines manually in SSH console then did :

# iptables-save | sudo tee /etc/sysconfig/iptables
# service iptables restart

The firewall rules files is proprely generated. If you modify the rules afterwards, you need to save the file again with command line:

# service iptables save

If you don't manage to make iptables work on kloxo MR, ask me. I'll be glad to help :-)

[lenawaii]

well, I have another problem but not on the same VPS, with the other I have worry with the command lines but with one, I have this error :

# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables: No chain/target/match by that name.

Do you have any idea with error? No answer in google, thanks for help

[MRatWork]

I don't use filewall (iptables) and then no advice for your issue.