LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-10-2004, 02:58 PM   #1
Loke
LQ Newbie
 
Registered: Oct 2002
Location: Norway
Distribution: Suse 8.0
Posts: 21

Rep: Reputation: 15
iptables rules for ssh


I have opened tcp port 22 in order to let in ssh connections from another machine on my LAN. However, I cannot start the ssh connection (from the other machine). If I stop iptables and log in and then start iptables again then the ssh seccion continues to work. What's up?
 
Old 09-10-2004, 09:56 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
could you post your iptables script (for analysis)??
 
Old 09-11-2004, 02:41 AM   #3
ping_wing
Member
 
Registered: Apr 2004
Posts: 65

Rep: Reputation: 15
there are SYN packets, that are used to 'start' tcp session.
probably you have SYN packets filtered , whereas 'regular' packets can pass through..
 
Old 09-12-2004, 07:31 AM   #4
Loke
LQ Newbie
 
Registered: Oct 2002
Location: Norway
Distribution: Suse 8.0
Posts: 21

Original Poster
Rep: Reputation: 15
>> could you post your iptables script (for analysis)??

The ssh rule looks like this

iptables -A INPUT -i $LAN_INTERFACE -p tcp \
-s $LAN_ADDRESSES \
--sport $UNPRIVPORTS \
--dport 22 \
-m state --state NEW -j ACCEPT
 
Old 09-12-2004, 05:24 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by Loke
>> could you post your iptables script (for analysis)??

The ssh rule looks like this

iptables -A INPUT -i $LAN_INTERFACE -p tcp \
-s $LAN_ADDRESSES \
--sport $UNPRIVPORTS \
--dport 22 \
-m state --state NEW -j ACCEPT
try this:

Code:
iptables -A INPUT -p TCP -i $LAN_INTERFACE -s $LAN_ADDRESSES -m state \
--state NEW --dport 22 -j ACCEPT
also, make sure your output is also ready:

Code:
iptables -A OUTPUT -p TCP -o $LAN_INTERFACE -s $LAN_INTERFACE_IP -j ACCEPT
or at least the established and related daemon's connections... like:

Code:
iptables -A OUTPUT -p TCP -o $LAN_INTERFACE -s $LAN_INTERFACE_IP --sport 22 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
posting your entire script can make it easier to spot issues and make suggestions, though...

good luck...


Last edited by win32sux; 09-13-2004 at 08:45 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
setting rules in iptables through ssh bijuhpd Linux - Newbie 1 11-11-2005 07:59 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Fatz Linux - Security 1 08-05-2004 06:04 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 12:52 AM
iptables rules hazza96 Linux - Security 3 09-09-2001 11:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration