LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-08-2013, 12:50 PM   #1
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Rep: Reputation: 0
Help with iptables


I have a machine that won't allow SSH access from outside the local network. I've checked hosts.deny & hosts.allow and there aren't any rules set up there so I'm assuming it's the firewall. Here's what I'm working with

Code:
#/sbin/iptables -L

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT 
-A INPUT -d xxx.x.x.xxx/32 -p udp -m state --state NEW -m udp --dport xxxx -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7001 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 7001 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7006 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 7006 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
I edited out the IP it's accepting. I'm wondering if it has something to do with the last two lines? From what I've gathered, it's saying to append INPUT and FORWARD with target REJECT, but what does REJECT refer to? Is that a list of IP/hostnames?
 
Old 10-08-2013, 01:14 PM   #2
DavidMcCann
Senior Member
 
Registered: Jul 2006
Location: London
Distribution: CentOS, Salix
Posts: 4,271

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
The last line simply means all input from sources not specified earlier in the file is to be rejected. These sites look promising
https://wiki.archlinux.org/index.php/Ssh
https://wiki.archlinux.org/index.php/Iptables
https://wiki.debian.org/iptables
 
Old 10-08-2013, 01:37 PM   #3
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
I commented out the last two lines and I'm able to SSH in now, thanks!
 
Old 10-09-2013, 02:11 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,260

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
That's because you've set the default policy for INPUT to accept at the top.
Now it'll accept anything from anywhere ....
Best practice is default INPUT policy DROP and allow by exception only
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 09:36 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM


All times are GMT -5. The time now is 03:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration