LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   i have a question about netfilter/iptables (http://www.linuxquestions.org/questions/linux-security-4/i-have-a-question-about-netfilter-iptables-721801/)

jean2e 04-26-2009 10:03 AM

i have a question about netfilter/iptables
 
hi , all

my iptables are :
iptables -P INPUT DENY
iptables -A INPUT -p udp --syn -m state --state NEW -m multiport --dports 22,25,110 -j ACCEPT

now , i can't use ssh to connect it, may be have some problems?

thank you .

win32sux 04-26-2009 10:09 AM

Quote:

Originally Posted by jean2e (Post 3521441)
my iptables are

No, they aren't. Those rules would have never become active.

Quote:

iptables -P INPUT DENY
iptables -A INPUT -p udp --syn -m state --state NEW -m multiport --dports 22,25,110 -j ACCEPT

now , i can't use ssh to connect it, may be have some problems?
Thing is, your rules don't make sense. There's no such thing as a DENY policy (at least not in any modern iptables I've seen), and there's no such thing as a UDP packet that is SYN. SSH uses TCP anyway, and has nothing to do with ports 25 or 110. If all you want to allow is inbound connections to SSH, you just need something like:
Code:

iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --syn -p 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

The last line isn't necessary for SSH but you might need it for stuff on the local host.

If your intention was to allow inbound connections to SSH, SMTP, and POP3, then basically all you'd need to change in your second rule is the protocol:
Code:

iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --syn -m multiport --dports 22,25,110 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT


jean2e 04-26-2009 10:34 AM

thank you so much !i FINISHED it!


All times are GMT -5. The time now is 01:32 PM.