LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables rules for ssh (https://www.linuxquestions.org/questions/linux-security-4/iptables-rules-for-ssh-229043/)

Loke 09-10-2004 02:58 PM
iptables rules for ssh
 
I have opened tcp port 22 in order to let in ssh connections from another machine on my LAN. However, I cannot start the ssh connection (from the other machine). If I stop iptables and log in and then start iptables again then the ssh seccion continues to work. What's up?

win32sux 09-10-2004 09:56 PM
could you post your iptables script (for analysis)??

ping_wing 09-11-2004 02:41 AM
there are SYN packets, that are used to 'start' tcp session.
probably you have SYN packets filtered , whereas 'regular' packets can pass through..

Loke 09-12-2004 07:31 AM
>> could you post your iptables script (for analysis)??

The ssh rule looks like this

iptables -A INPUT -i $LAN_INTERFACE -p tcp \
-s $LAN_ADDRESSES \
--sport $UNPRIVPORTS \
--dport 22 \
-m state --state NEW -j ACCEPT

win32sux 09-12-2004 05:24 PM
Quote:
Originally posted by Loke
>> could you post your iptables script (for analysis)??

The ssh rule looks like this

iptables -A INPUT -i $LAN_INTERFACE -p tcp \
-s $LAN_ADDRESSES \
--sport $UNPRIVPORTS \
--dport 22 \
-m state --state NEW -j ACCEPT
try this:

Code:
iptables -A INPUT -p TCP -i $LAN_INTERFACE -s $LAN_ADDRESSES -m state \
--state NEW --dport 22 -j ACCEPT
also, make sure your output is also ready:

Code:
iptables -A OUTPUT -p TCP -o $LAN_INTERFACE -s $LAN_INTERFACE_IP -j ACCEPT
or at least the established and related daemon's connections... like:

Code:
iptables -A OUTPUT -p TCP -o $LAN_INTERFACE -s $LAN_INTERFACE_IP --sport 22 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
posting your entire script can make it easier to spot issues and make suggestions, though...

good luck...


All times are GMT -5. The time now is 11:16 AM.