VPS server possibly locked after adding non-adequate iptables rules
Hi, I just joined this community.
This is first time I cannot find my answer here without having to ask. So... here is what I did: I bought the Ubuntu 10.04 LTS 32 bit VPS micro hosting, then I installed the pptpd server, and that worked as expected. Then I tried to mess up with the iptables due to need to set up the NAT(masquerade) for pptp-client connection ( I needed the NAT feature because I wanted to connect to VPS server from other server by using pptp client connection and route the internet traffic from other server through connected pptp client intereface to the VPS server eth0 interface. That worked really well up to the point where I tried to do something that I'm no so good in - ip tables rules. So I entered the following in the shell: iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.11.11.1/32 -j MASQUERADE then I saved the iptables rules: iptables-save > /root/iptables.rules then I changed the /etc/rc.local : iptables-restore < /root/iptables.rules exit0 the /root/iptables.rules contents: # Generated by iptables-save v1.4.4 on Fri Apr 12 16:45:15 2013 *nat :PREROUTING ACCEPT [3:156] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Fri Apr 12 16:45:15 2013 # Generated by iptables-save v1.4.4 on Fri Apr 12 16:45:15 2013 *filter :INPUT ACCEPT [60:4551] :FORWARD ACCEPT [101:6060] :OUTPUT ACCEPT [423:24101] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -i ppp0 -o eth0 -j ACCEPT COMMIT # Completed on Fri Apr 12 16:45:15 2013 After that I rebooted the VPS server, and since then I was not able to connect to VPS server by using the SSH. The VPS is also not pingable. I would appreciate any help in debugging this issue. Best Regards |
Quote:
Code:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
@allend, thanks for help. I appreciate that.
Strange thing that everything is working again, and check out the iptables-save output now: # Generated by iptables-save v1.4.4 on Fri Apr 12 22:59:51 2013 *filter :INPUT ACCEPT [36:1416] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [621:92104] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -i ppp0 -o eth0 -j ACCEPT COMMIT # Completed on Fri Apr 12 22:59:51 2013 # Generated by iptables-save v1.4.4 on Fri Apr 12 22:59:51 2013 *nat :PREROUTING ACCEPT [18:860] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [3:215] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Fri Apr 12 22:59:51 2013 I do not see any differences except order of *filter and *nat blocks. In the previous post the *nat block was first in the file? Does that play any role in my case? Also, you said that I should explicitly write a port number, but the iptables-save showed that iptables has recognized the '--dport ssh', as you can see in given iptables-save output file: -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT Am I right about --dport ssh issue ? I forgot to mention that I did not change or add anything before the whole thing started to work again. Regards |
You are right about the --dport ssh being acceptable, provided that ssh is listed in /etc/services.
From http://www.iptables.info/en/iptables...tml#TCPMATCHES Quote:
|
Well, I forgot to say thanks for the tip with CRON approach.
@allend , thanks again. Now I/whoever can mark this thread as SOLVED. Best Regards |
All times are GMT -5. The time now is 08:38 PM. |