LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-26-2009, 10:03 AM   #1
jean2e
LQ Newbie
 
Registered: Apr 2009
Posts: 13

Rep: Reputation: 0
i have a question about netfilter/iptables


hi , all

my iptables are :
iptables -P INPUT DENY
iptables -A INPUT -p udp --syn -m state --state NEW -m multiport --dports 22,25,110 -j ACCEPT

now , i can't use ssh to connect it, may be have some problems?

thank you .
 
Old 04-26-2009, 10:09 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jean2e View Post
my iptables are
No, they aren't. Those rules would have never become active.

Quote:
iptables -P INPUT DENY
iptables -A INPUT -p udp --syn -m state --state NEW -m multiport --dports 22,25,110 -j ACCEPT

now , i can't use ssh to connect it, may be have some problems?
Thing is, your rules don't make sense. There's no such thing as a DENY policy (at least not in any modern iptables I've seen), and there's no such thing as a UDP packet that is SYN. SSH uses TCP anyway, and has nothing to do with ports 25 or 110. If all you want to allow is inbound connections to SSH, you just need something like:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --syn -p 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
The last line isn't necessary for SSH but you might need it for stuff on the local host.

If your intention was to allow inbound connections to SSH, SMTP, and POP3, then basically all you'd need to change in your second rule is the protocol:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --syn -m multiport --dports 22,25,110 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

Last edited by win32sux; 04-26-2009 at 10:18 AM.
 
Old 04-26-2009, 10:34 AM   #3
jean2e
LQ Newbie
 
Registered: Apr 2009
Posts: 13

Original Poster
Rep: Reputation: 0
thank you so much !i FINISHED it!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is exactly difference between iptables and netfilter? soltanihaji Linux - Newbie 2 08-03-2008 12:38 AM
Question on copying iptables CONNMARK to netfilter MARK Praetorian Linux - Networking 4 06-19-2008 07:24 AM
Netfilter / IPtables SWAT Linux - Newbie 3 11-11-2003 09:04 AM
Netfilter/iptables on Linux Debra Programming 1 10-03-2002 07:40 PM
Netfilter/iptables on Linux Debra Linux - General 2 10-03-2002 07:27 PM


All times are GMT -5. The time now is 12:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration