LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-13-2004, 02:02 PM   #1
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Rep: Reputation: 30
Setting up IPTables remotely


Ok...back with a little question and problem I am having.

I am trying to setup IPTables on remote box. (Mind you, im still learning iPTables, so bare with me).

Now, i want to set default DROPS for INCOMING, OUTGOING and FORWARD. However, when ssh'd in, I can't specify or my connection will get dropped.

My question is, how can I go about doing that? I tried to setup a incoming rule that would allow port 22 access from my IP address, then set the default DROPS, but my connection was severed...

Is there some way I can go about doing this without locking myself out? If I lock myself out, I can't get to the box until late this evening.

Any suggestions?

I appreciate it.

Tarballed
 
Old 12-13-2004, 02:08 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you post what you currently are using for firewall rules? Also does the remote system have a dynamic IP address?
 
Old 12-13-2004, 02:22 PM   #3
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by Capt_Caveman
Could you post what you currently are using for firewall rules? Also does the remote system have a dynamic IP address?
Currently don't have any rules for IPTables. Just blank. The box has a static IP address as well.

What I had done before for my first ruels;

iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT

Then, I tried:

iptables -P INPUT DROP

Cut my connection.

Tarballed
 
Old 12-13-2004, 02:38 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Makes sense. The rule you added:

iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT

only allows packets that have the syn flag set and are in the NEW state (ie the very first packet) every packet after that in the ssh connection is in the ESTABLISHED state. So either remove the -m state --state NEW and --syn part or just add a rule to allow all packets that are ESTABLISHED or RELATED (probably better idea):

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 12-13-2004, 03:57 PM   #5
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by Capt_Caveman
Makes sense. The rule you added:

iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT

only allows packets that have the syn flag set and are in the NEW state (ie the very first packet) every packet after that in the ssh connection is in the ESTABLISHED state. So either remove the -m state --state NEW and --syn part or just add a rule to allow all packets that are ESTABLISHED or RELATED (probably better idea):

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ok...so I could do this:

iptables -A INPUT -s 192.168.1.90 -m state --state ESTABLISHED,RELATED -j ACCEPT

then

iptables -P INPUT DROP

Alll should work?
 
Old 12-13-2004, 04:42 PM   #6
zatriz
Member
 
Registered: Aug 2003
Location: Seattle, Wa
Distribution: Fedora,Trustix,Debian
Posts: 290

Rep: Reputation: 30
probably what you want is
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT

That way when you disconnect and try to reconnect it will let you reconnect or it will just drop all new in coming connections.

Last edited by zatriz; 12-13-2004 at 04:44 PM.
 
Old 12-13-2004, 04:50 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Ok...so I could do this:
iptables -A INPUT -s 192.168.1.90 -m state --state ESTABLISHED,RELATED -j ACCEPT


You'd still need the first rule:
iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P DROP

The ESTABLISHED,RELATED rule will also allow replies to any traffic that you initiate, for example if you ping a remote system then you'll be able to receive the icmp replies or other traffic like DNS replies. Without that rule, then you would need to specify each type of traffic to allow. If you only want to allow ssh traffic (and absolutely no other traffic) then use the rule zatriz posted.

Last edited by Capt_Caveman; 12-13-2004 at 04:52 PM.
 
Old 12-13-2004, 05:23 PM   #8
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Original Poster
Rep: Reputation: 30
Right...ok...figured out my error after I did more testing.

I ended up doing this:

iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Thanks for the help.

Feel like im finally getting my head wrapped around it. Not to bad, but once you get the basics, I can see it not being too difficult.

thanks,

Tarballed
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
help with setting up login to server remotely using ssh LAdProg2005 Linux - Software 2 10-05-2005 01:05 PM
setting iptables bijuhpd Linux - Newbie 4 03-17-2005 12:24 PM
Firewall setting up via iptables not able to get out countcobolt Linux - Networking 1 01-15-2004 06:43 PM
setting up iptables Mydal Linux - Security 3 01-03-2003 02:59 PM
Setting up DMZ with iptables.... ghost-ils Linux - Networking 0 09-09-2001 07:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration