April 2, 2011

iptables is blocking wget [SOLVED]

I got an issue with my linux from scratch system. I have managed to get it all runnning fine with networking and ssh. My problem has come when setting up a firewall with IpTables. This my first time using IpTables as im use to using the simple UFW tool in ubuntu.

It was all going well until i tried to use wget.

when i try and use wget this is what happens:

[someone@somewhere:~]# wget http://ftp.mozilla.org/pub/mozilla.org/js/js185-1.0.0.tar.gz
--2011-04-02 10:11:30-- http://ftp.mozilla.org/pub/mozilla.org/js/js185-1.0.0.tar.gz
Resolving ftp.mozilla.org... 63.245.209.125
Connecting to ftp.mozilla.org|63.245.209.125|:80...

this is my iptables script:

# message
echo -n ">>Applying firewall rules... "

# flush current rules
$ip -F
$ip -X
$ip -Z

# Accept packets belonging to established and related connections
$ip -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow FTP connections @ port 21
$ip -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$ip -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow Active FTP Connections
$ip -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# Allow Passive FTP Connections
$ip -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$ip -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

#Enable DNS
$ip -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$ip -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$ip -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$ip -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# Enable SSH
$ip -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$ip -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT

# Enable HTTP and HTTPS
$ip -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT

$ip -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT

# Enable PING
$ip -A INPUT -p icmp -m icmp -j ACCEPT
$ip -A OUTPUT -p icmp -m icmp -j ACCEPT

# Default to DROP all
$ip -P INPUT DROP
$ip -P OUTPUT DROP
$ip -P FORWARD DROP

#Allow Loop Back
$ip -A INPUT -i lo -j ACCEPT
$ip -A OUTPUT -o lo -j ACCEPT
echo "Done!"

I have checked my kernel configuration and all the nessersery networking bits have been compiled into it.

If i set the Pollicy to
INPUT ALLOW
OUTPUT ALLOW
FORWARD DROP

wget works then.

thanks in advance!