VPS server possibly locked after adding non-adequate iptables rules
 

Hi, I just joined this community.

This is first time I cannot find my answer here without having to ask.

So... here is what I did:

I bought the Ubuntu 10.04 LTS 32 bit VPS micro hosting, then I installed the pptpd server, and that worked as expected.

Then I tried to mess up with the iptables due to need to set up the NAT(masquerade) for pptp-client connection (

I needed the NAT feature because I wanted to connect to VPS server from other server by using pptp client connection and route the internet traffic from other server through connected pptp client intereface to the VPS server eth0 interface.

That worked really well up to the point where I tried to do something that I'm no so good in - ip tables rules.

So I entered the following in the shell:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.11.1/32 -j MASQUERADE

then I saved the iptables rules:

iptables-save > /root/iptables.rules

then I changed the /etc/rc.local :

iptables-restore < /root/iptables.rules
exit0

the /root/iptables.rules contents:

# Generated by iptables-save v1.4.4 on Fri Apr 12 16:45:15 2013
*nat
:PREROUTING ACCEPT [3:156]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 12 16:45:15 2013
# Generated by iptables-save v1.4.4 on Fri Apr 12 16:45:15 2013
*filter
:INPUT ACCEPT [60:4551]
:FORWARD ACCEPT [101:6060]
:OUTPUT ACCEPT [423:24101]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT
COMMIT
# Completed on Fri Apr 12 16:45:15 2013


After that I rebooted the VPS server, and since then I was not able to connect to VPS server by using the SSH.

The VPS is also not pingable.

I would appreciate any help in debugging this issue.

Best Regards

That should have been
When making changes on a remote machine, it helps to setup a cron job to write a working configuration back after a period of time. That way, if the new configuration fails, as here, then you can re-establish a connection and try again.

@allend, thanks for help. I appreciate that.

Strange thing that everything is working again, and check out the iptables-save output now:

# Generated by iptables-save v1.4.4 on Fri Apr 12 22:59:51 2013
*filter
:INPUT ACCEPT [36:1416]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [621:92104]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT
COMMIT
# Completed on Fri Apr 12 22:59:51 2013
# Generated by iptables-save v1.4.4 on Fri Apr 12 22:59:51 2013
*nat
:PREROUTING ACCEPT [18:860]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:215]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 12 22:59:51 2013

I do not see any differences except order of *filter and *nat blocks. In the previous post the *nat block was first in the file? Does that play any role in my case?

Also, you said that I should explicitly write a port number, but the iptables-save showed that iptables has recognized the '--dport ssh', as you can see in given iptables-save output file:

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Am I right about --dport ssh issue ?

I forgot to mention that I did not change or add anything before the whole thing started to work again.

Regards

You are right about the --dport ssh being acceptable, provided that ssh is listed in /etc/services.
From http://www.iptables.info/en/iptables...tml#TCPMATCHES

Well, I forgot to say thanks for the tip with CRON approach.

@allend , thanks again.

Now I/whoever can mark this thread as SOLVED.

Best Regards