LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-12-2013, 02:38 PM   #1
warez74
LQ Newbie
 
Registered: Apr 2013
Posts: 27

Rep: Reputation: 0
VPS server possibly locked after adding non-adequate iptables rules


Hi, I just joined this community.

This is first time I cannot find my answer here without having to ask.

So... here is what I did:

I bought the Ubuntu 10.04 LTS 32 bit VPS micro hosting, then I installed the pptpd server, and that worked as expected.

Then I tried to mess up with the iptables due to need to set up the NAT(masquerade) for pptp-client connection (

I needed the NAT feature because I wanted to connect to VPS server from other server by using pptp client connection and route the internet traffic from other server through connected pptp client intereface to the VPS server eth0 interface.

That worked really well up to the point where I tried to do something that I'm no so good in - ip tables rules.

So I entered the following in the shell:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.11.1/32 -j MASQUERADE

then I saved the iptables rules:

iptables-save > /root/iptables.rules

then I changed the /etc/rc.local :

iptables-restore < /root/iptables.rules
exit0

the /root/iptables.rules contents:

# Generated by iptables-save v1.4.4 on Fri Apr 12 16:45:15 2013
*nat
:PREROUTING ACCEPT [3:156]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 12 16:45:15 2013
# Generated by iptables-save v1.4.4 on Fri Apr 12 16:45:15 2013
*filter
:INPUT ACCEPT [60:4551]
:FORWARD ACCEPT [101:6060]
:OUTPUT ACCEPT [423:24101]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT
COMMIT
# Completed on Fri Apr 12 16:45:15 2013


After that I rebooted the VPS server, and since then I was not able to connect to VPS server by using the SSH.

The VPS is also not pingable.

I would appreciate any help in debugging this issue.

Best Regards
 
Old 04-12-2013, 09:58 PM   #2
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,485

Rep: Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856
Quote:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
That should have been
Code:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
When making changes on a remote machine, it helps to setup a cron job to write a working configuration back after a period of time. That way, if the new configuration fails, as here, then you can re-establish a connection and try again.
 
1 members found this post helpful.
Old 04-13-2013, 08:28 AM   #3
warez74
LQ Newbie
 
Registered: Apr 2013
Posts: 27

Original Poster
Rep: Reputation: 0
Thumbs up

@allend, thanks for help. I appreciate that.

Strange thing that everything is working again, and check out the iptables-save output now:

# Generated by iptables-save v1.4.4 on Fri Apr 12 22:59:51 2013
*filter
:INPUT ACCEPT [36:1416]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [621:92104]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT
COMMIT
# Completed on Fri Apr 12 22:59:51 2013
# Generated by iptables-save v1.4.4 on Fri Apr 12 22:59:51 2013
*nat
:PREROUTING ACCEPT [18:860]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:215]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 12 22:59:51 2013

I do not see any differences except order of *filter and *nat blocks. In the previous post the *nat block was first in the file? Does that play any role in my case?

Also, you said that I should explicitly write a port number, but the iptables-save showed that iptables has recognized the '--dport ssh', as you can see in given iptables-save output file:

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Am I right about --dport ssh issue ?

I forgot to mention that I did not change or add anything before the whole thing started to work again.

Regards

Last edited by warez74; 04-13-2013 at 08:35 AM. Reason: I forgot to mention something important.
 
Old 04-14-2013, 04:13 AM   #4
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,485

Rep: Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856Reputation: 856
You are right about the --dport ssh being acceptable, provided that ssh is listed in /etc/services.
From http://www.iptables.info/en/iptables...tml#TCPMATCHES
Quote:
This match can either take a service name or a port number. If you specify a service name, the service name must be in the /etc/services file, since iptables uses this file in which to find. If you specify the port by its number, the rule will load slightly faster, since iptables don't have to check up the service name.
 
1 members found this post helpful.
Old 04-14-2013, 12:13 PM   #5
warez74
LQ Newbie
 
Registered: Apr 2013
Posts: 27

Original Poster
Rep: Reputation: 0
Well, I forgot to say thanks for the tip with CRON approach.

@allend , thanks again.

Now I/whoever can mark this thread as SOLVED.

Best Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Require iptables rules for web server splinux Linux - Server 7 07-12-2011 06:11 AM
iptables rules for an FTP server jsmith6 Slackware 0 07-30-2009 04:58 PM
iptables rules for web server email server,ftp and ssh,please help lightwing Linux - Networking 1 03-25-2009 09:58 PM
Some iptables rules are not working on Ubuntu 8.10 server PossumJerky Linux - Security 1 02-04-2009 08:47 AM
iptable rules for new VPS piforever Fedora 10 06-22-2007 08:02 PM


All times are GMT -5. The time now is 07:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration