LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables rule: ssh does not connect reliably (http://www.linuxquestions.org/questions/linux-networking-3/iptables-rule-ssh-does-not-connect-reliably-605130/)

Robert S 12-07-2007 02:21 AM

iptables rule: ssh does not connect reliably
 
I have installed a firewall based on the script at http://www.gentoo.org/doc/en/securit...part=1&chap=12.

When I try to ssh into my server it does not reliably connect - I often get a timeout. The relevant rules are:
einfo "Setting policy"
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
and
# Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-traffic-in

# Unblock permitted input ports
einfon "Unblocking ports: "
echo -n "internal TCP, "
$IPTABLES -A INPUT -i $LAN -p tcp -m multiport -d $LOCAL_NETWORK --dports $ALLOWED_INT_1 -j ACCEPT
# Various other rules omitted here
# Deal with others
$IPTABLES -A INPUT -j allowed-connection

# Apply chains to forward
einfo "Applying chains to FORWARD"
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p icmp -j icmp_allowed
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allow-ssh-traffic-in
$IPTABLES -A FORWARD -j ACCEPT

# Apply chains to output
einfo "Applying chains to OUTPUT"
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
Can somebody let me know how to avoid these problems, and suggest a way of avoiding "bad" connections to my ssh server.

win32sux 12-08-2007 01:48 AM

Get rid of the check-flags INPUT and OUTPUT rules and see if it helps. If it does, you've isolated the problem to that chain. If it doesn't help, proceed to modify the allow-ssh-traffic-in chain to something simpler and known to work, like:
Code:

$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -p TCP --dport 22 -m state --state NEW -j ACCEPT

Then see if that helps. If it does, you've isolated the problem to that chain.

This post makes two assumptions: 1) These are the rules on the server, not the client. 2) You've tested that setting your policies to ACCEPT and flushing out all the rules makes SSH work fine - which confirms that you aren't on a wild goose chase with iptables.

Robert S 12-08-2007 07:30 AM

I scrubbed this and replaced it with this:
Quote:

# SSH protection table
# see http://www.stanford.edu/~fenn/linux/dhclient-exit-hooks
echo -n "incoming ssh, "
$IPTABLES -N SSH
$IPTABLES -F SSH
$IPTABLES -A SSH -m recent --name SSH --set --rsource
$IPTABLES -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j ACCEPT
$IPTABLES -A SSH -j ULOG --ulog-prefix="Bad SSH: "
$IPTABLES -A SSH -j DROP
$IPTABLES -A INPUT -p tcp -i $WAN --dport ssh -m state --state NEW -j SSH
This has done a great job blocking "script kiddie" type attacks.

win32sux 12-08-2007 08:04 AM

Well, it definitely makes more sense to limit only the SYNs.

Glad you got your issue sorted out.


All times are GMT -5. The time now is 06:18 PM.