Hello,

I'm currently struggling with an iptables script to make it allow ssh connections from anywhere. This script, I found on the internet: (http://www.ibiblio.org/pub/Linux/doc...NG-RC.FIREWALL)
When I installed it, I was completely new to iptables but the information and explanations on the site convinced me that it's an ok firewall. Meanwhile, I tried to understand iptables better because it looks important enough to have a secured pc.
So I was looking around and puzzled the following line:
$IPTABLES -A INPUT -p tcp -s $UNIVERSE --dport 22 -m state --state NEW -j ACCEPT
But still, ssh only works from the lan as it always did. I have a rootshell.be acount from which I did a test and it still don't work from the internet. (I am allowed to use ssh from this acount)


To be complete, here's the script I took from the internet with the extra line I added to try to get ssh to work.


FWVER=0.80s
echo -e "\nLoading rc.firewall - version $FWVER..\n"

IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig

EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"

EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo " External IP: $EXTIP"
echo " ---"

INTNET="192.168.0.0/24"
INTIP="192.168.0.1/24"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"

UNIVERSE="0.0.0.0/0"

echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en " Loading kernel modules: "

echo -en "ip_tables, "
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi

echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi

echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi

echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi

echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi

echo " ---"

echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " ---"

echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi

$IPTABLES -X
$IPTABLES -Z

echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT

echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
#line added by Lieven on 11th may 2004 to try to allow ssh traffic from anywhere
$IPTABLES -A INPUT -p tcp -s $UNIVERSE --dport 22 -m state --state NEW -j ACCEPT
#end try-and-error line
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading FORWARD rulesets"
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it

echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

If anybody can give me some advice on this, all help is greatly appreciated.

kind regards,
Lieven

Please ignore this tread... Is there a way to remove it? (shame-shame) :-) I found why it wasn't working.
thanks.

Only Jeremy can delete threads, but that's only done in rare circumstances. However, you might want to post the solution that you found so that others with similar problems might benefit from it.

Hi,
I found it in fact to be a problem on rootshell.be no problem on my firewall. So I don't think that this any help to anybody.
I tried a "firewall" (ahem, it's no fw...) like this:

# test firewall to get ssh to work from the outside world

/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t nat

/sbin/iptables -A INPUT -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 81.83.162.239

echo "\n as da nu nog ni werkt, dien ssh, dan is er toch iet mis op rootshell"

And asked a friend to try to ssh connect to me from his pc at home and it worked. Normally, I should be able to use ssh from the rootshell but it doesn't work. (don't give any error though.)

Anyway, thanks for your help and sory for the time you wasted reading this.

rgds,
Lieven