Find the answer to your Linux question:
Results 1 to 5 of 5
I have an iptables script that I've used for awhile now without problems (well...except when I moved to a new apt. and forgot to change the DNS IPs to allow ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682

    IPTables Rules


    I have an iptables script that I've used for awhile now without problems (well...except when I moved to a new apt. and forgot to change the DNS IPs to allow the new ones to get through (I ran w/o a fwall for awhile until I could figure it out) ). Now, however, I cannot ssh to my box from my laptop. Here is the script (the pertinent parts anyways):

    Code:
    /bin/sh
    
    iface='eth0'
    
    iptables -F
    iptables -X
    iptables -Z
    
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    
    #iptables -A INPUT -m state --state INVALID -j DROP
    
    #ALLOW DNS UDP
    iptables -A INPUT -i $iface -p udp -s 207.230.75.34 --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i $iface -p udp -s 207.230.75.50 --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    iptables -A OUTPUT -o $iface -p udp -d 207.230.75.34 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $iface -p udp -d 207.230.75.50 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    #ALLOW LOOPBACK
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    #ALLOW ICMP OUT AND BACK
    iptables -A OUTPUT -o $iface -p icmp -j ACCEPT
    iptables -A INPUT -i $iface -p icmp -m state --state ESTABLISHED -j ACCEPT
    
    #ALLOW SSH
    iptables -A INPUT -i $iface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $iface -p tcp --dport 22 -j ACCEPT
    
    #ALLOW FTP
    iptables -A INPUT -i $iface -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o $iface -p tcp --dport 21 -j ACCEPT
    
    #ALLOW SFTP
    #iptables -A INPUT -i $iface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    #iptables -A OUTPUT -o $iface -p tcp --dport 22 -j ACCEPT
    Anyone know what could be going wrong?
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284

    Re: IPTables Rules

    This script is running on the box to want to SSH TO?

    Quote Originally Posted by sarumont
    Code:
    #ALLOW SSH
    iptables -A INPUT -i $iface -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o $iface -p tcp --dport 22 -j ACCEPT

    Change to:
    Code:
    #ALLOW SSH
    iptables -A INPUT -i $iface -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    As i am a lazy person, i would say have a rule like:
    Code:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    Which allows all established connections to pass happily. Just block the connection from starting if you dont want it to go ahead in the first place.

    Jason

  3. #3
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    I changed it to --dport, but still no joy.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2003
    Posts
    24
    Do you have sshd running on the firewall? iptables -L will show you what ports are open, listening, etc.

  6. #5
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     udp  --  ns1.deltacom.net     anywhere           udp spt:domain state NEW,ESTABLISHED
    ACCEPT     udp  --  ns2.deltacom.net     anywhere           udp spt:domain state NEW,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere           state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh state NEW,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ftp state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:www state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:smtp state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:pop3 state ESTABLISHED
    ACCEPT     udp  --  anywhere             anywhere           udp spts:33434:33523 dpts:32769:65535 state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spts:4000:4007 state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:5190 state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spts:6665:ircd state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:5222 state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:https state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:rsync state ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:9898 state ESTABLISHED
    Yes, ssh is listening.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •