Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
since there's no REJECT rules in the script, i'd have to say i believe the issue is at 172.16.0.2 (maybe there isn't even an ssh daemon running at that address)...
if the packet was getting dropped by this script you'd be getting a timeout and not a refusal...
hehe... still, the script you had was a mess, i know the one i posted will work much better for you, and it's much cleaner so you'll be able to understand it better... let me know if you have any questions about the script (or about iptables in general) and i'll be glad to do my best and answer them to help you get the hang of iptables...
Some thing is wrong with 172.16.0.2. It should work at the first time you gave the code, if I could enabled ip_forward. There are so many things I need to know to solve a single prolbem. If I don't know enought, I cann't even find out what causes the problem.
One last thing. I'm really like playing with firewall. Do you know any good resource to learn iptables. (not doc on the http://netfilter.org. all the docs are leaking details of explanation for what's really going on).
Hi, win32sux. I've got the forward and nat working properly. BUT, There is still one thing bothering me for a long time.
Code:
# (1) allow ssh from ralf to client1
$IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT
# (2) allow ssh from client1 to ralf
$IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT
The above code is the partial code I wrote originally by myself. In order to allow ssh from ralf to client1, I need to specify the first rule in the firewall. The thing I can only check it's tcp and with source port 22, but I cann't check destination port 22. So the code will be like this:
Code:
# (1) allow ssh from ralf to client1
$IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 --sport 22 -j ACCEPT
If I specify the rule like this, then both of the rules will be the same. This doesn't seem right.
I don't know if I explained clearly.
The question is how I can know when to check source port only and when to check destination port only??
Originally posted by fei Hi, win32sux. I've got the forward and nat working properly. BUT, There is still one thing bothering me for a long time.
Code:
# (1) allow ssh from ralf to client1
$IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT
# (2) allow ssh from client1 to ralf
$IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT
The above code is the partial code I wrote originally by myself. In order to allow ssh from ralf to client1, I need to specify the first rule in the firewall. The thing I can only check it's tcp and with source port 22, but I cann't check destination port 22. So the code will be like this:
Code:
# (1) allow ssh from ralf to client1
$IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 --sport 22 -j ACCEPT
If I specify the rule like this, then both of the rules will be the same. This doesn't seem right.
I don't know if I explained clearly.
The question is how I can know when to check source port only and when to check destination port only??
Thanks.
you aren't specifying any host on any of those rules, so i'm not sure where "ralf" is... the rule i placed in the script would allow SSH coming into $EthernetIface, but (at least) it would check to make sure it was coming from an IP in subnet $EthernetIPs:
Code:
$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 22 \
-m state --state NEW -j ACCEPT
if you need to specify the IP of the host you want to allow to connect via SSH just use the host's IP instead of the subnet, like:
Code:
$IPTABLES -A INPUT -p TCP -i $EthernetIface -s 192.168.1.104 --dport 22 \
-m state --state NEW -j ACCEPT
also, you don't need to include any OUTPUT rule when the policy is ACCEPT - it's pointless...
BTW, these rules you've posted aren't checking for the packet's state, kinda defeats the purpose of having a packet-state filtering firewall... those rules are part of the ones i erased when i cleaned-up your script as they didn't make any sense...
as for the source ports: it depends, some connection types always use the same source port, some don't... you need to read docs in order to know which... for example, DHCP will use source port 68 by standard, but SSH won't use any specific source port so using a "--sport 22" in your SSH rules will give you nothing but headaches...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.