can't allow ssh :(

**burkass** · 10-31-2008

i have a problem from my iptables rule

this is my rule
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT icmp -- 192.168.0.0/24 192.168.0.2 icmp type 8 state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
ACCEPT all -- 127.0.0.1 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
ACCEPT tcp -- 192.198.0.0/24 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:5050

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED multiport dports 80,443 multiport sports 1024:65535
ACCEPT icmp -- 192.168.0.2 192.168.0.0/24 icmp type 0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,RELATED,ESTABLISHED

i want to allow ssh port with
iptables -A INPUT -p tcp -s 0/0 -d 202.169.231.47 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.169.231.47 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

but still don't work
can you tell me why this is happen

**burkass** · 10-31-2008

hmm i just have the solution but i am not sure this is a short way

here it is
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

so, what is your opinion ?

are there any better solutions ?

**davidanand** · 10-31-2008

-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A PREROUTING -i eth0 -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A INPUT -i eth0 -p tcp -m tcp --sport 22 --dport 513:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s xx.xx.xx.xx -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT

**burkass** · 11-01-2008

^ i have two network to use ssh

one of my local network and internet network...

btw can you explain that rule ?

**davidanand** · 11-01-2008

just allow the port 22 on the machine and if you are continuously facing issue take a backup of the current iptables and flush the rules put it back

Thread Tools

Display

can't allow ssh :(

Posting Permissions