[SOLVED] how to configure iptables to allow ssh tunneling?

wyattisimo · 04-28-2011, 10:52 AM

I set up a very simple web server running a MySQL database. Before I enabled the firewall, I could connect to the database over an ssh tunnel with no problems.

After I enabled the firewall, ssh tunneling broke. I've got ports 22 and 80 open, as shown below. If I change the INPUT policy to ACCEPT, ssh tunneling works fine.

Does anyone know how to configure iptables to allow ssh tunneling? Do I need to specify some sort of forwarding rule to the local machine? Any help is appreciated!

Here are my current iptables policies and rules:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 

Chain FORWARD (policy DROP)

Chain OUTPUT (policy ACCEPT)

Web31337 · 04-28-2011, 11:10 AM

you (sshd) need to connect mysql, even loopback interface connection(assuming you make local port forward to 127.0.0.1:mysqlport) counts as one. So you either allow all loopback traffic by interface name or some ports if you have more strict policy.

wyattisimo · 04-29-2011, 12:24 AM

Could you be more specific? I'm kind of a n00b when it comes to iptables and firewalls in general. How exactly should I define the rule? I would like the ssh tunnel to work for any traffic, not just mysql.

win32sux · 04-29-2011, 12:52 AM

Code:

iptables -A INPUT -i lo -j ACCEPT

wyattisimo · 05-02-2011, 05:21 PM

ah, makes sense. That seems to do what I want. Thanks!