LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-24-2012, 10:19 AM   #1
m4rtin
Member
 
Registered: Sep 2007
Posts: 261

Rep: Reputation: 16
Question appending iptables rules interrupts sshd


If I log into remote machine over SSH, execute screen(1) and start following commands:

Code:
root@s1:~# iptables -t filter -A INPUT -s 10.10.10.0/24 -i eth1 -j ACCEPT; iptables -t filter -A INPUT -i eth1 -j DROP; iptables-save; sleep 30; iptables -t filter -F INPUT
# Generated by iptables-save v1.4.12.2 on Mon Sep 24 10:46:46 2012
*nat
:PREROUTING ACCEPT [896:73953]
:INPUT ACCEPT [358:24932]
:OUTPUT ACCEPT [382:25732]
:POSTROUTING ACCEPT [382:25732]
COMMIT
# Completed on Mon Sep 24 10:46:46 2012
# Generated by iptables-save v1.4.12.2 on Mon Sep 24 10:46:46 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.10.10.0/24 -i eth1 -j ACCEPT
-A INPUT -i eth1 -j DROP
COMMIT
# Completed on Mon Sep 24 10:46:46 2012
root@s1:~#

..my current SSH session from 10.10.10.0/24 network hangs for 30 seconds and I'm not able to start new SSH sessions to "s1" server from 10.10.10.0/24 network. On the other hand, I'm able to ping "s1" server from 10.10.10.0/24 and "nmap -PN -sT --reason -p22 s1" reports, that port 22 is open:

Code:
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
If I execute "ssh -v root@s1" from 10.10.10.0/24 network during this 30s window before flushing the INOUT filter rules, last debug messages are:

Code:
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Has anyone seen such behavior where appending iptables rules affects sshd behavior? Or am I doing something wrong?
 
Old 09-24-2012, 10:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by m4rtin View Post
Or am I doing something wrong?
Well to start with your rule set is incomplete to the point where adding any -j ACCEPT rules is pointless. With a filter table default chain policy set to DROP you're supposed to add -j ACCEPT rules and conversely -j DROP rules when using a default ACCEPT policy...
 
Old 09-24-2012, 01:58 PM   #3
m4rtin
Member
 
Registered: Sep 2007
Posts: 261

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by unSpawn View Post
Well to start with your rule set is incomplete to the point where adding any -j ACCEPT rules is pointless. With a filter table default chain policy set to DROP you're supposed to add -j ACCEPT rules and conversely -j DROP rules when using a default ACCEPT policy...
ok, but in case of such rules:

Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.10.10.0/24 -i eth1 -j ACCEPT
-A INPUT -i eth1 -j DROP
COMMIT
..I should be able to access "s1" over SSH from 10.10.10.0/24, shouldn't I? In addition, as I said, for example I'm able to telnet to port 22 or confirm with nmap, that it's open
 
Old 09-24-2012, 02:13 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Well you executed "ssh -v root@s1", never mind you logging in as root (for now), so if you want to read the other part of the story, next to 'ssh -vvv' you should also execute 'sshd -ddd'.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - Anyone using iptables with 50,000+ rules? lrirwin Linux - Networking 1 03-21-2012 06:35 PM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 05:50 PM
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 04:59 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration