IP Tables allow 80 and 443 only for Management

Bobbys · September 4, 2019, 12:41pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Allow ports 80 and 443 only for the PiHole Management interface.
I would also like to keep the current iptables configuration that timeouts connection to speed up the process of ad blocking

cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Fri Sep  7 08:54:11 2018
*filter
:INPUT ACCEPT [8:512]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:1008]
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Sep  7 08:54:11 2018

Actual Behaviour:

I have setup my SSL certificate under lighttpd.conf. If I clear the iptables I am able to connect with https.
But I don't really like the idea of clearing the iptables.

How can I keep the existing iptables but also allow 80,443 for the pi hole interface?

/moderator (@mibere) edit: public debug token output removed

DanSchaper · September 4, 2019, 1:07pm

If you're serving your own content on 80 and 443 then you don't need iptables to block access to those ports.

Bobbys · September 4, 2019, 1:15pm

The iptables you see there are by default.

Check Section 2

I don't want to brake anything, since PiHole works fine over the last year

DanSchaper · September 4, 2019, 1:17pm

Yes, I am familiar with the iptables rules. iptables will only open or close ports. If you want to have content served via 80 or 443 then you can not block those ports with iptables.

Bobbys · September 4, 2019, 1:31pm

From what I understand, the iptables that are listed there have nothing to do with PiHole's functionality. Therefore I have flushed the iptables and added the following:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp -j DROP

Can you please confirm?

system · September 25, 2019, 1:41pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.