Cannot apt-get behind my iptables rulesapt-get not working with iptablesiptables rules to block ssh remote forwarded portsFsockOpen problem with Iptables inside OpenVZ VMHelp With IPTables: Traffic Forced To Specific NIC?A minmal iptables ruleset for a high volume Nginx reverse proxy (or: how to use NOTRACK for http and https)?use iptables to limit the number of concurrent http requests per ipiptables fails to load nf_conntrack_ftpiptables block port range with single port exceptionConfiguring iptables on dd-wrt routerFirewall rules for ssh, ftp and webappsCentos 7 , Master-slave replication iptables?

How does the Earth's center produce heat?

Make the `diff` command look only for differences from a specified range of lines

Coloring lines in a graph the same color if they are the same length

Why did Nick Fury not hesitate in blowing up the plane he thought was carrying a nuke?

Caught with my phone during an exam

Is there a word for pant sleeves?

Team member is vehemently against code formatting

What does it mean when みたいな is at the end of a sentence?

Passport queue length in UK in relation to arrival method

Is being an extrovert a necessary condition to be a manager?

Wifi light switch needs neutral wire. Why? AND Can that wire be a skinny one?

(For training purposes) Are there any openings with rook pawns that are more effective than others (and if so, what are they)?

What pc resources are used when bruteforcing?

What does it mean for something to be strictly less than epsilon for an arbitrary epsilon?

Existence of a model of ZFC in which the natural numbers are really the natural numbers

Are there any tips to help hummingbirds find a new feeder?

Can the Conjure Barrage spell stack with the Disarming Attack or Trip Attack Battle Master maneuvers?

What is the required burn to keep a satellite at a Lagrangian point?

Can diplomats be allowed on the flight deck of a commercial European airline?

How could the B-29 bomber back up under its own power?

Why is a weak base more able to deprotonate a strong acid than a weak acid?

Is it normal to "extract a paper" from a master thesis?

If a character has cast the Fly spell on themselves, can they "hand off" to the Levitate spell without interruption?

Efficient Algorithms for Destroyed Document Reconstruction



Cannot apt-get behind my iptables rules


apt-get not working with iptablesiptables rules to block ssh remote forwarded portsFsockOpen problem with Iptables inside OpenVZ VMHelp With IPTables: Traffic Forced To Specific NIC?A minmal iptables ruleset for a high volume Nginx reverse proxy (or: how to use NOTRACK for http and https)?use iptables to limit the number of concurrent http requests per ipiptables fails to load nf_conntrack_ftpiptables block port range with single port exceptionConfiguring iptables on dd-wrt routerFirewall rules for ssh, ftp and webappsCentos 7 , Master-slave replication iptables?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I'm trying to configure a new server's iptable.
Here are my rules inside a firewall.sh script that I execute:



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"





# Flush the filter table from INPUT or OUTPUT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done


# Allow DNS traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP


The problem with those rules is that then when I try to do:



apt-get install iptables-persistent


And then confirm with Y, the download freezes. I've done some tests and I know that without those rules the apt-get command works just fine, so I know there is something wrong with my iptables rules, but I can't figure what.
Any idea?
(basically I have the same problem as apt-get not working with iptables)



UPDATE



I did a few tests, and this works (I removed the INPUT DROP policy at the end), however, I still don't get what in the INPUT is causing problems.



@Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22 53"





# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done




# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
#iptables -P INPUT DROP
iptables -P OUTPUT DROP





iptables







share|improve this question
























  • You also need to accept established / related incoming traffic using something like -A INPUT -m state -- state ESTABLISHED,RELATED -j ACCEPT

    – Lenniey
    May 8 at 14:16


















1















I'm trying to configure a new server's iptable.
Here are my rules inside a firewall.sh script that I execute:



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"





# Flush the filter table from INPUT or OUTPUT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done


# Allow DNS traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP


The problem with those rules is that then when I try to do:



apt-get install iptables-persistent


And then confirm with Y, the download freezes. I've done some tests and I know that without those rules the apt-get command works just fine, so I know there is something wrong with my iptables rules, but I can't figure what.
Any idea?
(basically I have the same problem as apt-get not working with iptables)



UPDATE



I did a few tests, and this works (I removed the INPUT DROP policy at the end), however, I still don't get what in the INPUT is causing problems.



@Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22 53"





# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done




# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
#iptables -P INPUT DROP
iptables -P OUTPUT DROP





iptables







share|improve this question
























  • You also need to accept established / related incoming traffic using something like -A INPUT -m state -- state ESTABLISHED,RELATED -j ACCEPT

    – Lenniey
    May 8 at 14:16














1












1








1








I'm trying to configure a new server's iptable.
Here are my rules inside a firewall.sh script that I execute:



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"





# Flush the filter table from INPUT or OUTPUT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done


# Allow DNS traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP


The problem with those rules is that then when I try to do:



apt-get install iptables-persistent


And then confirm with Y, the download freezes. I've done some tests and I know that without those rules the apt-get command works just fine, so I know there is something wrong with my iptables rules, but I can't figure what.
Any idea?
(basically I have the same problem as apt-get not working with iptables)



UPDATE



I did a few tests, and this works (I removed the INPUT DROP policy at the end), however, I still don't get what in the INPUT is causing problems.



@Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22 53"





# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done




# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
#iptables -P INPUT DROP
iptables -P OUTPUT DROP





iptables







share|improve this question
















I'm trying to configure a new server's iptable.
Here are my rules inside a firewall.sh script that I execute:



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"





# Flush the filter table from INPUT or OUTPUT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done


# Allow DNS traffic
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP


The problem with those rules is that then when I try to do:



apt-get install iptables-persistent


And then confirm with Y, the download freezes. I've done some tests and I know that without those rules the apt-get command works just fine, so I know there is something wrong with my iptables rules, but I can't figure what.
Any idea?
(basically I have the same problem as apt-get not working with iptables)



UPDATE



I did a few tests, and this works (I removed the INPUT DROP policy at the end), however, I still don't get what in the INPUT is causing problems.



@Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered



#!/bin/bash

# Ports recap:
# ---- web: 80, 443
# ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
# ---- ssh: 22
# ---- ftp: 20


# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22 53"





# Flush the filter table from INPUT or OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F


# Permit loopback interface traffic (because our host is not a router)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Drop invalid traffic (good idea since we use the connexion track module)
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP


# Allow icmp traffic (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done




# Permit no more than 50 concurrent connections from the same ip address to our web server
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


# Allow all outgoing valid traffic 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Set the default policy to drop
#iptables -P INPUT DROP
iptables -P OUTPUT DROP





iptables




iptables






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 8 at 14:07







ling

















asked May 8 at 13:10









lingling

1731111




1731111












  • You also need to accept established / related incoming traffic using something like -A INPUT -m state -- state ESTABLISHED,RELATED -j ACCEPT

    – Lenniey
    May 8 at 14:16


















  • You also need to accept established / related incoming traffic using something like -A INPUT -m state -- state ESTABLISHED,RELATED -j ACCEPT

    – Lenniey
    May 8 at 14:16

















You also need to accept established / related incoming traffic using something like -A INPUT -m state -- state ESTABLISHED,RELATED -j ACCEPT

– Lenniey
May 8 at 14:16






You also need to accept established / related incoming traffic using something like -A INPUT -m state -- state ESTABLISHED,RELATED -j ACCEPT

– Lenniey
May 8 at 14:16











2 Answers
2






active

oldest

votes


















2














First off, ALLOWED_TCP block is only going to be 80 443 and 22 as it's over riding the first definition.



# Allowed tcp ports
ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
ALLOWED_TCP="80 443 22"


Next you only use these in allowing on the INPUT, meaning incoming to the server 



for port in $ALLOWED_TCP
do
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done


Then you never define what's allowed out from the server in OUTPUT besides DNS and related traffic,



iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


and



iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Then set default policy to drop outbound



iptables -P OUTPUT DROP



It might be as simple as in your for loop to add another line for adding those ALLOWED_TCP to OUTPUT while keeping your outbound filtering.






share|improve this answer






























    0














    Actually I had a typo, the only error I had was using tcp for DNS (instead of udp).



    So this script below will work just fine (and for those interested, I learned that syntax here: https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):



    @Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered)



    UPDATE: fix typo
    UPDATE2: fixed problem with apt install fail2ban



    #!/bin/bash

    # Ports recap:
    # ---- web: 80, 443
    # ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
    # ---- ssh: 22
    # ---- ftp: 20


    # Allowed tcp ports
    ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
    ALLOWED_TCP="80 443 22"





    # Flush the filter table from INPUT or OUTPUT
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F


    # Permit loopback interface traffic (because our host is not a router)
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT


    # Drop invalid traffic (good idea since we use the connexion track module)
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP


    # Allow icmp traffic (ping)
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A OUTPUT -p icmp -j ACCEPT



    for port in $ALLOWED_TCP
    do
     iptables -A INPUT -p tcp --dport $port -j ACCEPT
    done



    # https://ubuntuforums.org/showthread.php?t=1441483
    # DNS
    iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
    iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

    # apt-get
    iptables -A INPUT -p tcp --sport 80 -j ACCEPT




    # Permit no more than 50 concurrent connections from the same ip address to our web server
    iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


    # Allow all outgoing valid traffic 
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


    # Set the default policy to drop
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP





    share|improve this answer

























    • This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

      – Lenniey
      May 8 at 14:17












    • So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

      – ling
      May 8 at 14:28











    • 443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

      – ling
      May 8 at 14:29











    • I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

      – Lenniey
      May 8 at 14:34











    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966383%2fcannot-apt-get-behind-my-iptables-rules%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    First off, ALLOWED_TCP block is only going to be 80 443 and 22 as it's over riding the first definition.



    # Allowed tcp ports
    ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
    ALLOWED_TCP="80 443 22"


    Next you only use these in allowing on the INPUT, meaning incoming to the server 



    for port in $ALLOWED_TCP
    do
     iptables -A INPUT -p tcp --dport $port -j ACCEPT
    done


    Then you never define what's allowed out from the server in OUTPUT besides DNS and related traffic,



    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


    and



    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


    Then set default policy to drop outbound



    iptables -P OUTPUT DROP



    It might be as simple as in your for loop to add another line for adding those ALLOWED_TCP to OUTPUT while keeping your outbound filtering.






    share|improve this answer



























      2














      First off, ALLOWED_TCP block is only going to be 80 443 and 22 as it's over riding the first definition.



      # Allowed tcp ports
      ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
      ALLOWED_TCP="80 443 22"


      Next you only use these in allowing on the INPUT, meaning incoming to the server 



      for port in $ALLOWED_TCP
      do
       iptables -A INPUT -p tcp --dport $port -j ACCEPT
      done


      Then you never define what's allowed out from the server in OUTPUT besides DNS and related traffic,



      iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


      and



      iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


      Then set default policy to drop outbound



      iptables -P OUTPUT DROP



      It might be as simple as in your for loop to add another line for adding those ALLOWED_TCP to OUTPUT while keeping your outbound filtering.






      share|improve this answer

























        2












        2








        2







        First off, ALLOWED_TCP block is only going to be 80 443 and 22 as it's over riding the first definition.



        # Allowed tcp ports
        ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
        ALLOWED_TCP="80 443 22"


        Next you only use these in allowing on the INPUT, meaning incoming to the server 



        for port in $ALLOWED_TCP
        do
         iptables -A INPUT -p tcp --dport $port -j ACCEPT
        done


        Then you never define what's allowed out from the server in OUTPUT besides DNS and related traffic,



        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


        and



        iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


        Then set default policy to drop outbound



        iptables -P OUTPUT DROP



        It might be as simple as in your for loop to add another line for adding those ALLOWED_TCP to OUTPUT while keeping your outbound filtering.






        share|improve this answer













        First off, ALLOWED_TCP block is only going to be 80 443 and 22 as it's over riding the first definition.



        # Allowed tcp ports
        ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
        ALLOWED_TCP="80 443 22"


        Next you only use these in allowing on the INPUT, meaning incoming to the server 



        for port in $ALLOWED_TCP
        do
         iptables -A INPUT -p tcp --dport $port -j ACCEPT
        done


        Then you never define what's allowed out from the server in OUTPUT besides DNS and related traffic,



        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


        and



        iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


        Then set default policy to drop outbound



        iptables -P OUTPUT DROP



        It might be as simple as in your for loop to add another line for adding those ALLOWED_TCP to OUTPUT while keeping your outbound filtering.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered May 8 at 13:17









        Ryan GibbonsRyan Gibbons

        988920




        988920























            0














            Actually I had a typo, the only error I had was using tcp for DNS (instead of udp).



            So this script below will work just fine (and for those interested, I learned that syntax here: https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):



            @Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered)



            UPDATE: fix typo
            UPDATE2: fixed problem with apt install fail2ban



            #!/bin/bash

            # Ports recap:
            # ---- web: 80, 443
            # ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
            # ---- ssh: 22
            # ---- ftp: 20


            # Allowed tcp ports
            ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
            ALLOWED_TCP="80 443 22"





            # Flush the filter table from INPUT or OUTPUT
            iptables -P INPUT ACCEPT
            iptables -P OUTPUT ACCEPT
            iptables -F


            # Permit loopback interface traffic (because our host is not a router)
            iptables -A INPUT -i lo -j ACCEPT
            iptables -A OUTPUT -o lo -j ACCEPT


            # Drop invalid traffic (good idea since we use the connexion track module)
            iptables -A INPUT -m state --state INVALID -j DROP
            iptables -A OUTPUT -m state --state INVALID -j DROP


            # Allow icmp traffic (ping)
            iptables -A INPUT -p icmp -j ACCEPT
            iptables -A OUTPUT -p icmp -j ACCEPT



            for port in $ALLOWED_TCP
            do
             iptables -A INPUT -p tcp --dport $port -j ACCEPT
            done



            # https://ubuntuforums.org/showthread.php?t=1441483
            # DNS
            iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
            iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

            # apt-get
            iptables -A INPUT -p tcp --sport 80 -j ACCEPT




            # Permit no more than 50 concurrent connections from the same ip address to our web server
            iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


            # Allow all outgoing valid traffic 
            iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


            # Set the default policy to drop
            iptables -P INPUT DROP
            iptables -P OUTPUT DROP





            share|improve this answer

























            • This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

              – Lenniey
              May 8 at 14:17












            • So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

              – ling
              May 8 at 14:28











            • 443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

              – ling
              May 8 at 14:29











            • I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

              – Lenniey
              May 8 at 14:34















            0














            Actually I had a typo, the only error I had was using tcp for DNS (instead of udp).



            So this script below will work just fine (and for those interested, I learned that syntax here: https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):



            @Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered)



            UPDATE: fix typo
            UPDATE2: fixed problem with apt install fail2ban



            #!/bin/bash

            # Ports recap:
            # ---- web: 80, 443
            # ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
            # ---- ssh: 22
            # ---- ftp: 20


            # Allowed tcp ports
            ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
            ALLOWED_TCP="80 443 22"





            # Flush the filter table from INPUT or OUTPUT
            iptables -P INPUT ACCEPT
            iptables -P OUTPUT ACCEPT
            iptables -F


            # Permit loopback interface traffic (because our host is not a router)
            iptables -A INPUT -i lo -j ACCEPT
            iptables -A OUTPUT -o lo -j ACCEPT


            # Drop invalid traffic (good idea since we use the connexion track module)
            iptables -A INPUT -m state --state INVALID -j DROP
            iptables -A OUTPUT -m state --state INVALID -j DROP


            # Allow icmp traffic (ping)
            iptables -A INPUT -p icmp -j ACCEPT
            iptables -A OUTPUT -p icmp -j ACCEPT



            for port in $ALLOWED_TCP
            do
             iptables -A INPUT -p tcp --dport $port -j ACCEPT
            done



            # https://ubuntuforums.org/showthread.php?t=1441483
            # DNS
            iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
            iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

            # apt-get
            iptables -A INPUT -p tcp --sport 80 -j ACCEPT




            # Permit no more than 50 concurrent connections from the same ip address to our web server
            iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


            # Allow all outgoing valid traffic 
            iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


            # Set the default policy to drop
            iptables -P INPUT DROP
            iptables -P OUTPUT DROP





            share|improve this answer

























            • This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

              – Lenniey
              May 8 at 14:17












            • So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

              – ling
              May 8 at 14:28











            • 443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

              – ling
              May 8 at 14:29











            • I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

              – Lenniey
              May 8 at 14:34













            0












            0








            0







            Actually I had a typo, the only error I had was using tcp for DNS (instead of udp).



            So this script below will work just fine (and for those interested, I learned that syntax here: https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):



            @Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered)



            UPDATE: fix typo
            UPDATE2: fixed problem with apt install fail2ban



            #!/bin/bash

            # Ports recap:
            # ---- web: 80, 443
            # ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
            # ---- ssh: 22
            # ---- ftp: 20


            # Allowed tcp ports
            ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
            ALLOWED_TCP="80 443 22"





            # Flush the filter table from INPUT or OUTPUT
            iptables -P INPUT ACCEPT
            iptables -P OUTPUT ACCEPT
            iptables -F


            # Permit loopback interface traffic (because our host is not a router)
            iptables -A INPUT -i lo -j ACCEPT
            iptables -A OUTPUT -o lo -j ACCEPT


            # Drop invalid traffic (good idea since we use the connexion track module)
            iptables -A INPUT -m state --state INVALID -j DROP
            iptables -A OUTPUT -m state --state INVALID -j DROP


            # Allow icmp traffic (ping)
            iptables -A INPUT -p icmp -j ACCEPT
            iptables -A OUTPUT -p icmp -j ACCEPT



            for port in $ALLOWED_TCP
            do
             iptables -A INPUT -p tcp --dport $port -j ACCEPT
            done



            # https://ubuntuforums.org/showthread.php?t=1441483
            # DNS
            iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
            iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

            # apt-get
            iptables -A INPUT -p tcp --sport 80 -j ACCEPT




            # Permit no more than 50 concurrent connections from the same ip address to our web server
            iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


            # Allow all outgoing valid traffic 
            iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


            # Set the default policy to drop
            iptables -P INPUT DROP
            iptables -P OUTPUT DROP





            share|improve this answer















            Actually I had a typo, the only error I had was using tcp for DNS (instead of udp).



            So this script below will work just fine (and for those interested, I learned that syntax here: https://www.udemy.com/linux-security-the-complete-iptables-firewall-guide/):



            @Ryan Gibbons, yes my first ALLOWED_TCP line is just a template in case I want to activate more ports (only the second line is considered)



            UPDATE: fix typo
            UPDATE2: fixed problem with apt install fail2ban



            #!/bin/bash

            # Ports recap:
            # ---- web: 80, 443
            # ---- mail: 25 (smtp), 465 (smtps), 143 (imap), 993 (imaps), 110 (pop), 995 (pops)
            # ---- ssh: 22
            # ---- ftp: 20


            # Allowed tcp ports
            ALLOWED_TCP="80 443 22 20 25 465 143 993 110 995"
            ALLOWED_TCP="80 443 22"





            # Flush the filter table from INPUT or OUTPUT
            iptables -P INPUT ACCEPT
            iptables -P OUTPUT ACCEPT
            iptables -F


            # Permit loopback interface traffic (because our host is not a router)
            iptables -A INPUT -i lo -j ACCEPT
            iptables -A OUTPUT -o lo -j ACCEPT


            # Drop invalid traffic (good idea since we use the connexion track module)
            iptables -A INPUT -m state --state INVALID -j DROP
            iptables -A OUTPUT -m state --state INVALID -j DROP


            # Allow icmp traffic (ping)
            iptables -A INPUT -p icmp -j ACCEPT
            iptables -A OUTPUT -p icmp -j ACCEPT



            for port in $ALLOWED_TCP
            do
             iptables -A INPUT -p tcp --dport $port -j ACCEPT
            done



            # https://ubuntuforums.org/showthread.php?t=1441483
            # DNS
            iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
            iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

            # apt-get
            iptables -A INPUT -p tcp --sport 80 -j ACCEPT




            # Permit no more than 50 concurrent connections from the same ip address to our web server
            iptables -A INPUT -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-above 50 -j DROP


            # Allow all outgoing valid traffic 
            iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


            # Set the default policy to drop
            iptables -P INPUT DROP
            iptables -P OUTPUT DROP






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited May 8 at 15:05

























            answered May 8 at 14:15









            lingling

            1731111




            1731111












            • This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

              – Lenniey
              May 8 at 14:17












            • So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

              – ling
              May 8 at 14:28











            • 443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

              – ling
              May 8 at 14:29











            • I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

              – Lenniey
              May 8 at 14:34

















            • This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

              – Lenniey
              May 8 at 14:17












            • So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

              – ling
              May 8 at 14:28











            • 443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

              – ling
              May 8 at 14:29











            • I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

              – Lenniey
              May 8 at 14:34
















            This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

            – Lenniey
            May 8 at 14:17






            This will only work for HTTP traffic, no HTTPS or anything else. And why do you set the default policy two times?

            – Lenniey
            May 8 at 14:17














            So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

            – ling
            May 8 at 14:28





            So that I can execute the script many times without being blocked outside the server (I did a few tests, and I blocked myself a couple of times, so I figured that since the script is only called once on every reboot, it doesn't matter if I "spend" two more lines defining a policy that I override later in the same script). In other words, as soon as I execute the script for the second time, the policy is still set on DROP, and I get blocked out, whereas with those two first lines, the policy is forced to ACCEPT before and so the rest of the script can continue.

            – ling
            May 8 at 14:28













            443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

            – ling
            May 8 at 14:29





            443 is actually https, so it would cover http, https and ssh (but yes, nothing else, but that's just a configurable template...).

            – ling
            May 8 at 14:29













            I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

            – Lenniey
            May 8 at 14:34





            I meant your added # apt-get iptables -A INPUT -p tcp --sport 80 -j ACCEPT line from before your edit...

            – Lenniey
            May 8 at 14:34

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966383%2fcannot-apt-get-behind-my-iptables-rules%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

            Image
            Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975As...
            Read more

            Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

            Image
            Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
            Read more

            Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

            Image
            OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
            Read more