Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok...back with a little question and problem I am having.
I am trying to setup IPTables on remote box. (Mind you, im still learning iPTables, so bare with me).
Now, i want to set default DROPS for INCOMING, OUTGOING and FORWARD. However, when ssh'd in, I can't specify or my connection will get dropped.
My question is, how can I go about doing that? I tried to setup a incoming rule that would allow port 22 access from my IP address, then set the default DROPS, but my connection was severed...
Is there some way I can go about doing this without locking myself out? If I lock myself out, I can't get to the box until late this evening.
Originally posted by Capt_Caveman Could you post what you currently are using for firewall rules? Also does the remote system have a dynamic IP address?
Currently don't have any rules for IPTables. Just blank. The box has a static IP address as well.
What I had done before for my first ruels;
iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
only allows packets that have the syn flag set and are in the NEW state (ie the very first packet) every packet after that in the ssh connection is in the ESTABLISHED state. So either remove the -m state --state NEW and --syn part or just add a rule to allow all packets that are ESTABLISHED or RELATED (probably better idea):
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Originally posted by Capt_Caveman Makes sense. The rule you added:
iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
only allows packets that have the syn flag set and are in the NEW state (ie the very first packet) every packet after that in the ssh connection is in the ESTABLISHED state. So either remove the -m state --state NEW and --syn part or just add a rule to allow all packets that are ESTABLISHED or RELATED (probably better idea):
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ok...so I could do this:
iptables -A INPUT -s 192.168.1.90 -m state --state ESTABLISHED,RELATED -j ACCEPT
Ok...so I could do this:
iptables -A INPUT -s 192.168.1.90 -m state --state ESTABLISHED,RELATED -j ACCEPT
You'd still need the first rule:
iptables -A INPUT -s 192.168.1.90 -m state --state NEW -m tcp -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P DROP
The ESTABLISHED,RELATED rule will also allow replies to any traffic that you initiate, for example if you ping a remote system then you'll be able to receive the icmp replies or other traffic like DNS replies. Without that rule, then you would need to specify each type of traffic to allow. If you only want to allow ssh traffic (and absolutely no other traffic) then use the rule zatriz posted.
Last edited by Capt_Caveman; 12-13-2004 at 04:52 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.