LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-07-2007, 02:21 AM   #1
Robert S
Member
 
Registered: Oct 2006
Location: Canberra
Distribution: gentoo, debian
Posts: 39

Rep: Reputation: 15
iptables rule: ssh does not connect reliably


I have installed a firewall based on the script at http://www.gentoo.org/doc/en/securit...part=1&chap=12.

When I try to ssh into my server it does not reliably connect - I often get a timeout. The relevant rules are:
einfo "Setting policy"
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
and
# Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-traffic-in

# Unblock permitted input ports
einfon "Unblocking ports: "
echo -n "internal TCP, "
$IPTABLES -A INPUT -i $LAN -p tcp -m multiport -d $LOCAL_NETWORK --dports $ALLOWED_INT_1 -j ACCEPT
# Various other rules omitted here
# Deal with others
$IPTABLES -A INPUT -j allowed-connection

# Apply chains to forward
einfo "Applying chains to FORWARD"
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p icmp -j icmp_allowed
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allow-ssh-traffic-in
$IPTABLES -A FORWARD -j ACCEPT

# Apply chains to output
einfo "Applying chains to OUTPUT"
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
Can somebody let me know how to avoid these problems, and suggest a way of avoiding "bad" connections to my ssh server.
 
Old 12-08-2007, 01:48 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Get rid of the check-flags INPUT and OUTPUT rules and see if it helps. If it does, you've isolated the problem to that chain. If it doesn't help, proceed to modify the allow-ssh-traffic-in chain to something simpler and known to work, like:
Code:
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -p TCP --dport 22 -m state --state NEW -j ACCEPT
Then see if that helps. If it does, you've isolated the problem to that chain.

This post makes two assumptions: 1) These are the rules on the server, not the client. 2) You've tested that setting your policies to ACCEPT and flushing out all the rules makes SSH work fine - which confirms that you aren't on a wild goose chase with iptables.

Last edited by win32sux; 12-08-2007 at 01:59 AM.
 
Old 12-08-2007, 07:30 AM   #3
Robert S
Member
 
Registered: Oct 2006
Location: Canberra
Distribution: gentoo, debian
Posts: 39

Original Poster
Rep: Reputation: 15
I scrubbed this and replaced it with this:
Quote:
# SSH protection table
# see http://www.stanford.edu/~fenn/linux/dhclient-exit-hooks
echo -n "incoming ssh, "
$IPTABLES -N SSH
$IPTABLES -F SSH
$IPTABLES -A SSH -m recent --name SSH --set --rsource
$IPTABLES -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j ACCEPT
$IPTABLES -A SSH -j ULOG --ulog-prefix="Bad SSH: "
$IPTABLES -A SSH -j DROP
$IPTABLES -A INPUT -p tcp -i $WAN --dport ssh -m state --state NEW -j SSH
This has done a great job blocking "script kiddie" type attacks.
 
Old 12-08-2007, 08:04 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Well, it definitely makes more sense to limit only the SYNs.

Glad you got your issue sorted out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 03:33 PM
iptables rule help the_gripmaster Linux - Security 3 05-15-2007 07:19 AM
iptables help! DROP ssh port, but allow to connect to ssh if from 2222 port kandzha Linux - Networking 4 09-13-2006 09:10 AM
What is it doing this iptables rule?? lanczer Linux - Security 1 02-24-2006 11:26 AM
help with iptables rule!! vishamr2000 Linux - Security 6 11-09-2005 05:34 AM


All times are GMT -5. The time now is 12:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration