Find the answer to your Linux question:
Results 1 to 5 of 5
I have an iptables script that I've used for awhile now without problems (well...except when I moved to a new apt. and forgot to change the DNS IPs to allow ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 10-24-2003 #1
    sarumont
    sarumont is offline
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682

    IPTables Rules

    I have an iptables script that I've used for awhile now without problems (well...except when I moved to a new apt. and forgot to change the DNS IPs to allow the new ones to get through (I ran w/o a fwall for awhile until I could figure it out) ). Now, however, I cannot ssh to my box from my laptop. Here is the script (the pertinent parts anyways):

    Code:
    /bin/sh

iface='eth0'

iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#iptables -A INPUT -m state --state INVALID -j DROP

#ALLOW DNS UDP
iptables -A INPUT -i $iface -p udp -s 207.230.75.34 --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $iface -p udp -s 207.230.75.50 --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $iface -p udp -d 207.230.75.34 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $iface -p udp -d 207.230.75.50 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

#ALLOW LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#ALLOW ICMP OUT AND BACK
iptables -A OUTPUT -o $iface -p icmp -j ACCEPT
iptables -A INPUT -i $iface -p icmp -m state --state ESTABLISHED -j ACCEPT

#ALLOW SSH
iptables -A INPUT -i $iface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $iface -p tcp --dport 22 -j ACCEPT

#ALLOW FTP
iptables -A INPUT -i $iface -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $iface -p tcp --dport 21 -j ACCEPT

#ALLOW SFTP
#iptables -A INPUT -i $iface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $iface -p tcp --dport 22 -j ACCEPT
    Anyone know what could be going wrong?
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy
    Reply With Quote Reply With Quote
  2. 10-24-2003 #2
    jasonlambert
    jasonlambert is offline
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284

    Re: IPTables Rules

    This script is running on the box to want to SSH TO?

    Quote Originally Posted by sarumont
    Code:
    #ALLOW SSH
iptables -A INPUT -i $iface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $iface -p tcp --dport 22 -j ACCEPT

    Change to:
    Code:
    #ALLOW SSH
iptables -A INPUT -i $iface -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    As i am a lazy person, i would say have a rule like:
    Code:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    Which allows all established connections to pass happily. Just block the connection from starting if you dont want it to go ahead in the first place.

    Jason
    Reply With Quote Reply With Quote
  3. 10-26-2003 #3
    sarumont
    sarumont is offline
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    I changed it to --dport, but still no joy.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy
    Reply With Quote Reply With Quote
  4. 10-29-2003 #4
    PhedUp
    PhedUp is offline
    Just Joined!
    Join Date
    Oct 2003
    Posts
    24
    Do you have sshd running on the firewall? iptables -L will show you what ports are open, listening, etc.
    Reply With Quote Reply With Quote
  5. 10-30-2003 #5
    sarumont
    sarumont is offline
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Code:
    Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  ns1.deltacom.net     anywhere           udp spt:domain state NEW,ESTABLISHED
ACCEPT     udp  --  ns2.deltacom.net     anywhere           udp spt:domain state NEW,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere           state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ftp state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:www state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:smtp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:pop3 state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere           udp spts:33434:33523 dpts:32769:65535 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spts:4000:4007 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:5190 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spts:6665:ircd state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:5222 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:rsync state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:9898 state ESTABLISHED
    Yes, ssh is listening.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules