Web 服务器：Postgresql + Iptables -> 允许来自本地主机

我有一个 Web 服务器：Debian 9 + Postgres 9.6 + Apache 2.4.25

我已经创建了一个包含 iptables 配置的 bash 脚本：

!/bin/bash

# IP Server
IP="192.168.0.18"

# Restart default config
iptables -F
iptables -X
iptables -Z

# Enable different protections to kernel
#
# Ignore broadcast icmp
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routing
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirects
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
# Protection to "bad error messages"
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable ip forwarding
echo -n '0' > /proc/sys/net/ipv4/ip_forward
# Login "source routed" and redirects
echo -n '1' >/proc/sys/net/ipv4/conf/all/log_martians

# Default, deny INPUT y FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allow outgoing traffic
iptables -P OUTPUT ACCEPT

# Deny new TCP connections not started with SYN
iptables -A INPUT -i ens192 -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "TCP RST,ACK,FIN"
iptables -A INPUT -i ens192 -p tcp ! --syn -m state --state NEW -j DROP

# Deny fragments
iptables -A INPUT -i ens192 -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragment Packets"
iptables -A INPUT -i ens192 -f -j DROP

# Deny souspicius packages
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i ens192 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Deny NULL packets
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL NONE -j DROP

# Deny packages "Christmas tree"
iptables -A INPUT -i ens192 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
iptables -A INPUT -i ens192 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Deny attacks Fin Scan
iptables -A INPUT -i ens192 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
iptables -A INPUT -i ens192 -p tcp --tcp-flags FIN,ACK FIN -j DROP

# Validate flags TCP
iptables -A INPUT -i ens192 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Deny invalids packages
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow all lo interface
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ping
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Allow port 22 (SSH)
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT

# Allow port 443 (HTTPS)
iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT

# Allow 80 (HTTP)
#iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow POSTGRES remote console from IP

iptables -A INPUT -m state --state NEW -p tcp -s 192.168.0.4/32 --dport 5432 -j ACCEPT 

# Allow connections POSTGRES from localhost

#iptables -A INPUT -p tcp -d $IP --sport 1024:65535 --dport 5432 -m state --state NEW -j ACCEPT

# Log and deny
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A INPUT -j DROP

# Deny all outgoing traffic except established connections

iptables -P OUTPUT DROP
iptables -A OUTPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outgoing traffic HTTPS
iptables -A OUTPUT -s $IP -p tcp --sport 1024:65535 --dport 443 -m state --state NEW -j ACCEPT

# Allow outgoing traffic 80
iptables -A OUTPUT -s $IP -p tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT

# Allow outgoing traffic ping
iptables -A OUTPUT -p icmp --icmp-type 8 -s $IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing traffic DNS
iptables -A OUTPUT -s $IP -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $IP -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

我无法从托管在此服务器上的我的网站登录 :(

Web服务器日志的错误信息是：

[Tue Mar 27 12:53:30.690759 2018] [:error] [pid 1853] [client 192.168.0.4:58098] PHP Warning:  pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Connection timed out\n\tIs the server running on host "localhost" (127.0.0.1) and accepting\n\tTCP/IP connections on port 5432?\ncould not connect to server: Cannot assign requested address\n\tIs the server running on host "localhost" (::1) and accepting\n\tTCP/IP connections on port 5432?

问题肯定是 iptables 配置，因为我禁用 iptables，登录仍然正常。

请问你能帮帮我吗？