have problem with iptables in the part of ssh

**mlmanlookma** · 06-01-2011

I have blocked all connection with iptables and allowed only the loopback:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

next I want to allow only ssh connections, and also I want to record the IP address of each attempt to access port 22 using the recent module.then I want to to see if that IP address has attempted to connect 2 or more times within the last 60 seconds, and if not then the packet is accepted:
iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

the problem that probably didn't write it right so can someone show me whhat is my problem

**Lazydog** · 06-02-2011

Your problem is you are using a port based firewall when you need to be using a stateful firewall. You should be using the NEW,ESTABLISHED and RELATED so that only the new connection are hitting your rules for checking more then 2 attempts.

**mlmanlookma** · 06-03-2011

sorry but I dont nlow how to do this because I really not good at iptables. Is there a way that you write it down for me?

**Lazydog** · 06-03-2011

Here is a quick setup. You might have to refine it to meet your needs.

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j LOG  --log-prefix "[SSH DROP] : " --log-tcp-options --log-ip-options

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

this should log all SSH connection that are dropped. To see them

Code:

cat /var/log/messages | grep [SSH

or to see it live

Code:

tail -F /var/log/messages | grep [SSH

Please be aware that the above firewall rules only allow SSH in and out!

**mlmanlookma** · 06-15-2011

this is the code I wrote:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 60 --hitcount 2 --name ssh --rsource -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "[SSH DROP] : " --log-tcp-options --log-ip-options

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

I am sure I'm missing something. what I want in the end is that if someone is trying password guessing block him for X minutes with iptables. I am also doing all this in VMware and trying to connect to one vm to another with ssh is the problem is becuse I'm using VMware? becuse no matter what I am doing I am not blocked.
and thanks again for your help

**Lazydog** · 06-15-2011

Originally Posted by mlmanlookma

this is the code I wrote:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

Your source port isn't going to be 22 when you SSH. It is going to be a higher numbered port so the rules with sport 22 aren't going to match unless you are forcing your system to use port 22 as outgoing.

I am sure I'm missing something. what I want in the end is that if someone is trying password guessing block him for X minutes with iptables. I am also doing all this in VMware and trying to connect to one vm to another with ssh is the problem is becuse I'm using VMware? becuse no matter what I am doing I am not blocked.
and thanks again for your help

You should look at fail2ban if this is what you are looking to do. This program will handle this very well.

**mlmanlookma** · 06-16-2011

you right I want the source port to be 22 but still is there a way to do what I want in iptables and not using Fail2ban

**Lazydog** · 06-16-2011

How do you plan on configuring your system to use the source port of 22?
I am just trying to understand why you want to go though the trouble to do this.

**mlmanlookma** · 06-19-2011

what i want is to drop/block all incoming and outgoing connections except for ssh connections. Moreover, I want to block ip's which try to guess my password (after 3 attempts ban this ip for X minutes/seconds). I saw your suggestion about failt2ban-great suggestion, but I also want to do this on iptables.

**Lazydog** · 06-20-2011

OK, the rules I posted above will allow SSH in and out. If you want to block for 'x' amount of time with iptables then you should be looking at the limit match rule and adjust as needed.

Thread Tools

Display

have problem with iptables in the part of ssh

Posting Permissions