On Thu, 2003-01-16 at 12:13, Steffen Bisgaard wrote:
> Hallo everybody,
>
> This is the first time I use this feature so if I am doing anything wrong
> please bear with me...
>
> I have the following iptables running on a RH7.3 machine. Can anybody tell
> me why I am unable to ssh to the machine when iptables is running?
>
> For the SSH part I have also tried:
>
>
> iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
> 1024:65535 -j ACCEPT
>
You also need to allow the server to respond:
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 --dport
1024:65535 -j ACCEPT
Have you checked your firewall log file for other clues?
> but still no go...
>
>
> # --------------------------------------------------------------------------
> --
> #
> # Invoked from /etc/rc.d/init.d/iptables.
> # chkconfig: - 60 95
> # description: Starts and stops the IPTABLES packet filter \
> # used to provide firewall network services.
> # Source function library.
> . /etc/rc.d/init.d/functions
> # Source networking configuration.
> . /etc/sysconfig/network
> # Check that networking is up.
> if [ ${NETWORKING} = "no" ]
> then
> exit 0
> fi
> if [ ! -x /sbin/iptables ]; then
> exit 0
> fi
> # See how we were called.
> case "$1" in
> start)
> echo -n "Starting Firewalling: "
> # --------------------------------------------------------------------------
> --
> # Some definitions for easy maintenance.
> # EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
> #IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
> IPADDR="10.2.0.28"
> EXTERNAL_INTERFACE="eth0" # Internet connected interface
> LOOPBACK_INTERFACE="lo" # Your local naming convention
> PRIMARY_NAMESERVER="212.120.66.194" # Your Primary Name Server
> SECONDARY_NAMESERVER="212.120.66.195" # Your Secondary Name Server
> #SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
> LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
> CLASS_A="10.0.0.0/8" # Class A private networks
> CLASS_B="172.16.0.0/12" # Class B private networks
> CLASS_C="192.168.0.0/16" # Class C private networks
> CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
> CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
> BROADCAST_SRC="0.0.0.0" # Broadcast source addr
> BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
> PRIVPORTS="0:1023" # Privileged port range
> UNPRIVPORTS="1024:" # Unprivileged port range
> # --------------------------------------------------------------------------
> --
> # The SSH client starts at 1023 and works down to 513 for each
> # additional simultaneous connection originating from a privileged port.
> # Clients can optionally be configured to use only unprivileged ports.
> SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
> SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
> # traceroute usually uses -S 32769:65535 -D 33434:33523
> TRACEROUTE_SRC_PORTS="32769:65535"
> TRACEROUTE_DEST_PORTS="33434:33523"
> # --------------------------------------------------------------------------
> --
> # Default policy is DENY
> # Explicitly accept desired INCOMING & OUTGOING connections
> # Remove all existing rules belonging to this filter
> iptables -F
> # Remove any existing user-defined chains.
> iptables -X
> # Set the default policy of the filter to deny.
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> # --------------------------------------------------------------------------
> --
> # LOOPBACK
> # --------
> # Unlimited traffic on the loopback interface.
> iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # SPOOFING & BAD ADDRESSES
> # Refuse spoofed packets.
> # Ignore blatantly illegal source addresses.
> # Protect yourself from sending to bad addresses.
> # Refuse incoming packets pretending to be from the external address.
> iptables -A INPUT -s $IPADDR -j DROP
> # Refuse incoming packets claiming to be from a Class A, B or C private
> ##network
> iptables -A INPUT -s $CLASS_A -j DROP
> iptables -A INPUT -s $CLASS_B -j DROP
> iptables -A INPUT -s $CLASS_C -j DROP
> # Refuse broadcast address SOURCE packets
> iptables -A INPUT -s $BROADCAST_DEST -j DROP
> iptables -A INPUT -d $BROADCAST_SRC -j DROP
> # Refuse Class D multicast addresses
> # Multicast is illegal as a source address.
> # Multicast uses UDP.
> iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
> # Refuse Class E reserved IP addresses
> iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
> # Refuse special addresses defined as reserved by the IANA.
> # Note: The remaining reserved addresses are not included
> # filtering them causes problems as reserved blocks are
> # being allocated more often now. The following are based on
> # reservations as listed by IANA as of 2001/01/04. Please regularly
> # check at http://www.iana.org/ for the latest status.
> # Note: this list includes the loopback, multicast, & reserved addresses.
> # 0.*.*.* - Can't be blocked for DHCP users.
> # 127.*.*.* - LoopBack
> # 169.254.*.* - Link Local Networks
> # 192.0.2.* - TEST-NET
> # 224-255.*.*.* - Classes D & E, plus unallocated.
> iptables -A INPUT -s 0.0.0.0/8 -j DROP
> iptables -A INPUT -s 127.0.0.0/8 -j DROP
> iptables -A INPUT -s 169.254.0.0/16 -j DROP
> iptables -A INPUT -s 192.0.2.0/24 -j DROP
> iptables -A INPUT -s 224.0.0.0/3 -j DROP
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # UDP TRACEROUTE
> # --------------
> # traceroute usually uses -S 32769:65535 -D 33434:33523
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> --source-port $TRACEROUTE_SRC_PORTS \
> -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
> --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # DNS forward-only nameserver
> # ---------------------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> -s $PRIMARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $PRIMARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> -s $SECONDARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $SECONDARY_NAMESERVER --source-port 53 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # POP server (110)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR --destination-port 110 -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $IPADDR --source-port 110 \
> --destination-port $UNPRIVPORTS -j ACCEPT
> # POP client (110)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> --source-port 110 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> --destination-port 110 -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # SMTP server (25)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR --destination-port 25 -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $IPADDR --source-port 25 \
> --destination-port $UNPRIVPORTS -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # SMTP client (25)
> # ----------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
> --source-port 25 \
> -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR --source-port $UNPRIVPORTS \
> --destination-port 25 -j ACCEPT
> #
> #
> #
> # ------------------------------------------------------------------
> # SSH server (22)
> # ---------------
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $SSH_REMOTE_PORTS \
> -d $IPADDR --destination-port 22 -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
> -s $IPADDR --source-port 22 \
> --destination-port $SSH_REMOTE_PORTS -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # ICMP
> # ----
> # To prevent denial of service attacks based on ICMP bombs, filter
> # incoming Redirect (5) and outgoing Destination Unreachable (3).
> # Note, however, disabling Destination Unreachable (3) is not
> # advisable, as it is used to negotiate packet fragment size.
> # For bi-directional ping.
> # Message Types: Echo_Reply (0), Echo_Request (8)
> # To prevent attacks, limit the src addresses to your ISP range.
> #
> # For outgoing traceroute.
> # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
> # default UDP base: 33434 to base+nhops-1
> #
> # For incoming traceroute.
> # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
> # To block this, deny OUTGOING 3 and 11
> # 0: echo-reply (pong)
> # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
> # 4: source-quench
> # 5: redirect
> # 8: echo-request (ping)
> # 11: time-exceeded
> # 12: parameter-problem
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type echo-reply \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type destination-unreachable \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type source-quench \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type time-exceeded \
> -d $IPADDR -j ACCEPT
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type parameter-problem \
> -d $IPADDR -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type source-quench -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type echo-request -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR --icmp-type parameter-problem -j ACCEPT
> #
> #
> #
> # --------------------------------------------------------------------------
> --
> # Enable logging for selected denied packets
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> --destination-port $PRIVPORTS -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
> --destination-port $UNPRIVPORTS -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type 5 -j DROP
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type 13/255 -j DROP
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
> # --------------------------------------------------------------------------
> --
> ;;
> stop)
> echo -n "Shutting Firewalling: "
> # Remove all existing rules belonging to this filter
> iptables -F
> # Delete all user-defined chain to this filter
> iptables -X
> # Reset the default policy of the filter to accept.
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> ;;
> status)
> status iptables
> ;;
> restart|reload)
> $0 stop
> $0 start
> ;;
> *)
> echo "Usage: iptables {start|stop|status|restart|reload}"
> exit 1
> esac
> echo "done"
> exit 0
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o o
o o
.--. .--.
| o_o| |o_o |
| \_:| |:_/ |
/ / \\ // \ \
( | |) (| | )
/`\_ _/'\ /'\_ _/`\
\___)=(___/ \___)=(___/
Attachment:
signature.asc
Description: This is a digitally signed message part
