Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you are able to connect after doing this, then you know there is an error somewhere in the firewall setup. If you still can't connect, then you will know that the problem lies elsewhere.
That made my last 4 hours seem pretty pointless. Indeed - it now works! I'm not sure what these modifications to iptables has done, but is it safe to leave them like this?
That made my last 4 hours seem pretty pointless. Indeed - it now works! I'm not sure what these modifications to iptables has done, but is it safe to leave them like this?
Thanks,
Jarrod
No, you probably don't want to let your server exposed without any firewall rules at all. But now you know that you have some firewall rule that was preventing your ssh connection. You just have to figure out what it is.
From the drop down menu SSH is ticked as a trusted service and everything else is not ticked, including everything in Trusted Interfaces (where I presume the problem lies)
With the config you posted, can you verify that SSH does *not* work?
iptables will process rules from top to bottom, and then stop when it hits a rule that matches the packet. Therefore, it seems like everything should pass through based on your third rule "ACCEPT all -- anywhere anywhere". I don't think that the REJECT statement several lines down would ever be reached.
Also: Did this firewall configuration come only from the GUI tool, or have you added other things to it yourself? I don't run Fedora, and I don't know how their GUI tool creates firewall rules, but generally I would think your input chain should have a default DENY policy, and then explicitly allow only certain things (like ssh).
Whatever you did to your firewall so far, you need to start over from scratch. Right now your firewall is letting everything in based on the 3rd rule in the Input chain.
-A appends, -I inserts. Append adds to the end, Insert by default inserts at the start... if you look at your rules you will see the following in the input chain
Note that the rules go in order thus before the SSH rules are hit, all traffic has already been rejected. If this now works could you please mark this thread as [solved]
Quote:
Originally Posted by nicedream
but generally I would think your input chain should have a default DENY policy, and then explicitly allow only certain things (like ssh).
This is also a very good way to blackhole yourself out of a system, not so important with a desktop but if you hit an issue with a remote server that requires iptables being flushed... well that's gunna cause some rough downtime, more so if you have to travel to wherever the server is... maybe not so bad if it's at a datacenter and you can get KVMoIP access... you can make the argument that a server should be well set-up in the first place, however services rarely stay the same, when more things are offered these things tend to occur.
Last edited by r3sistance; 08-12-2010 at 03:26 PM.
Thanks for the responses - iptables now makes more (some) sense. The problem is solved in that I can ssh the computer, but given the earlier reply I'm afraid I've compromised the security by fixing it.
This is also a very good way to blackhole yourself out of a system, not so important with a desktop but if you hit an issue with a remote server that requires iptables being flushed... well that's gunna cause some rough downtime, more so if you have to travel to wherever the server is... maybe not so bad if it's at a datacenter and you can get KVMoIP access... you can make the argument that a server should be well set-up in the first place, however services rarely stay the same, when more things are offered these things tend to occur.
Yes - if you aren't careful you can lock yourself out of a system, but locking people out of the system is the whole purpose of a firewall. When you are testing your firewall rules for the first time, you should either be physically at the system, or have a way to easily remotely reboot the system to reset the rules.
I'll stand by my statement that a default DENY is the best (most secure) policy. It's much easier and safer to open up the ports that you need, rather than trying to close all the ones that you don't.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.