I am trying to configure iptables for my Centos6 server. I am encountering problem with NewRelic ips. This is my iptables file:
*filter
#new relic
-A INPUT -s 50.31.164.0/24 -j ACCEPT
-A INPUT -s 103.21.244.0/22 -j ACCEPT
-A INPUT -s 103.22.200.0/22 -j ACCEPT
-A INPUT -s 103.31.4.0/22 -j ACCEPT
-A INPUT -s 104.16.0.0/12 -j ACCEPT
-A INPUT -s 108.162.192.0/18 -j ACCEPT
-A INPUT -s 141.101.64.0/18 -j ACCEPT
-A INPUT -s 162.158.0.0/15 -j ACCEPT
-A INPUT -s 162.247.240.0/22 -j ACCEPT
-A INPUT -s 173.245.48.0/20 -j ACCEPT
-A INPUT -s 188.114.96.0/20 -j ACCEPT
-A INPUT -s 190.93.240.0/20 -j ACCEPT
-A INPUT -s 197.234.240.0/22 -j ACCEPT
-A INPUT -s 198.41.128.0/17 -j ACCEPT
-A INPUT -s 199.27.128.0/21 -j ACCEPT
-A OUTPUT -d 50.31.164.0/24 -j ACCEPT
-A OUTPUT -d 103.21.244.0/22 -j ACCEPT
-A OUTPUT -d 103.22.200.0/22 -j ACCEPT
-A OUTPUT -d 103.31.4.0/22 -j ACCEPT
-A OUTPUT -d 104.16.0.0/12 -j ACCEPT
-A OUTPUT -d 108.162.192.0/18 -j ACCEPT
-A OUTPUT -d 141.101.64.0/18 -j ACCEPT
-A OUTPUT -d 162.158.0.0/15 -j ACCEPT
-A OUTPUT -d 162.247.240.0/22 -j ACCEPT
-A OUTPUT -d 173.245.48.0/20 -j ACCEPT
-A OUTPUT -d 188.114.96.0/20 -j ACCEPT
-A OUTPUT -d 190.93.240.0/20 -j ACCEPT
-A OUTPUT -d 197.234.240.0/22 -j ACCEPT
-A OUTPUT -d 198.41.128.0/17 -j ACCEPT
-A OUTPUT -d 199.27.128.0/21 -j ACCEPT
# Default chain policy
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
Now the problem is that new relic is blocked, although all of it's ips are opened. If I change the default policy to:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
Which is practically disabling iptables, everything works.
Do you have any suggestions?
It appears as though these rules are intended to make certain your system can communicate with the list of IP addresses listed on New Relic's doc site:
https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks
The rules you have now are a good start for allowing communication between your system and New Relic. I can help get the connectivity to New Relic working but I cannot advise you as to what your complete firewall rules should be. Firewalls are a complex subject and certainly not one size fits all.
Please do not consider my additions as making the above list of rules comprehensive.
Now that the disclaimer is out of the way, the likely reason the agent/monitor isn't able to report data to New Relic is likely because these rules are blocking all DNS lookups.
For any of the application monitors (meaning the Java agent, Ruby agent, etc) or the Linux Server Monitor to send data to New Relic a DNS lookup for 'collector.newrelic.com' must be performed. This 'collector' actually redirects the agent or monitor to another system that is the "real" collector.
With the rules listed above, when the application agent or server monitor tries to perform a DNS lookup for 'collector.newrelic.com', it will fail. This failure will prevent the agent or server monitor from reporting any data to New Relic.
You can allow DNS lookups by adding something general like so:
-A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Adding those lines and restarting the firewall should solve the New Relic reporting issue.
One final comment, the iptables rules shown here also prevent all incoming web requests. If you have a website or web application, these rules will prevent anyone from reaching your site. This should also be addressed in your revised list of firewall rules.