Find the answer to your Linux question:
Results 1 to 10 of 10
I have blocked all connection with iptables and allowed only the loopback: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -P INPUT DROP ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2011
    Posts
    5

    Question have problem with iptables in the part of ssh


    I have blocked all connection with iptables and allowed only the loopback:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    next I want to allow only ssh connections, and also I want to record the IP address of each attempt to access port 22 using the recent module.then I want to to see if that IP address has attempted to connect 2 or more times within the last 60 seconds, and if not then the packet is accepted:
    iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
    iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --sport 22 -j ACCEPT
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP

    the problem that probably didn't write it right so can someone show me whhat is my problem

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Your problem is you are using a port based firewall when you need to be using a stateful firewall. You should be using the NEW,ESTABLISHED and RELATED so that only the new connection are hitting your rules for checking more then 2 attempts.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2011
    Posts
    5
    sorry but I dont nlow how to do this because I really not good at iptables. Is there a way that you write it down for me?

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Here is a quick setup. You might have to refine it to meet your needs.

    Code:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j LOG  --log-prefix "[SSH DROP] : " --log-tcp-options --log-ip-options
    
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
    this should log all SSH connection that are dropped. To see them

    Code:
    cat /var/log/messages | grep [SSH
    or to see it live
    Code:
    tail -F /var/log/messages | grep [SSH
    Please be aware that the above firewall rules only allow SSH in and out!

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jun 2011
    Posts
    5
    this is the code I wrote:

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "[SSH DROP] : " --log-tcp-options --log-ip-options

    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

    I am sure I'm missing something. what I want in the end is that if someone is trying password guessing block him for X minutes with iptables. I am also doing all this in VMware and trying to connect to one vm to another with ssh is the problem is becuse I'm using VMware? becuse no matter what I am doing I am not blocked.
    and thanks again for your help

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by mlmanlookma View Post
    this is the code I wrote:

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    Your source port isn't going to be 22 when you SSH. It is going to be a higher numbered port so the rules with sport 22 aren't going to match unless you are forcing your system to use port 22 as outgoing.

    I am sure I'm missing something. what I want in the end is that if someone is trying password guessing block him for X minutes with iptables. I am also doing all this in VMware and trying to connect to one vm to another with ssh is the problem is becuse I'm using VMware? becuse no matter what I am doing I am not blocked.
    and thanks again for your help
    You should look at fail2ban if this is what you are looking to do. This program will handle this very well.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Jun 2011
    Posts
    5
    you right I want the source port to be 22 but still is there a way to do what I want in iptables and not using Fail2ban

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    How do you plan on configuring your system to use the source port of 22?
    I am just trying to understand why you want to go though the trouble to do this.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #9
    Just Joined!
    Join Date
    Jun 2011
    Posts
    5
    what i want is to drop/block all incoming and outgoing connections except for ssh connections. Moreover, I want to block ip's which try to guess my password (after 3 attempts ban this ip for X minutes/seconds). I saw your suggestion about failt2ban-great suggestion, but I also want to do this on iptables.

  10. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    OK, the rules I posted above will allow SSH in and out. If you want to block for 'x' amount of time with iptables then you should be looking at the limit match rule and adjust as needed.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •