iptables ruleset to allow http

accolito · June 29, 2014, 4:49pm

Hello gentlemen.
I want to solve a little problem with iptables.

Let's suppose that i've a valid ruleset called MYBLOCK with all ips i want to block.

$ iptables --list

Chain FORWARD (policy DROP)
DROP       all  --  anywhere             anywhere            set MYBLOCK src,dst

Everything works fine but if I've this ip: 2.2.2.2 in the ruleset I can't access it via browser because I've blocked it (drop). Is there a way to block the ip but allow me to access it via browser (allow destination port 80 and 443)?

ipset v4.5, protocol version 4
iptables v1.3.8

This is the command i use to apply my ruleset:

$ iptables -I FORWARD -m set --set MYBLOCK src,dst -j DROP

Shortly, I don't know how to make iptable to allow destination port 80. I've tried everything without success

Please tell me if you need more info.
Thanks in advance for your attention and support.

fpmurphy · July 1, 2014, 10:06am

Not tested, but the rules would be something like the following:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

smoofy · July 1, 2014, 10:29am

From my point of view offered solution should work but with FORWARD chain instead of the INPUT and OUTPUT.

Former rule denies only forwarded traffic and not the local one so I assume that asker uses it as a transparent FW therefore rules should be before the DROP rule and for the FORWARD chain.