Re: SSH fails on 22 - Restrictive rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Basically i've got a log rule before the drop in my script , but i didn't want to create a large post.

Very good poing though to check the logs . I should have done it before posting

here.  That's why are log target is for.


Regards

On Sun, November 13, 2005 23:44, P theodorou wrote:
> Hello
>
> i'm testing my SSH server from an external IP (my mate's pc)
> and i've noticed than whenever i allow connections on eth0 with dport
> 22 i can see the username login page BUT, if apply the following
> rules the usual user name cannot be displayed
>
> $IPTABLES -A TCPbad -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
> --state NEW -j REJECT --reject-with tcp-reset
> $IPTABLES -A TCPbad -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL FIN -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL NONE -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL ALL -j DROP
>
> any help very appreciated

I don't know what rule would cause that, but you could of course add a
logging rule before each DROP so you know which rule is the problem.
Or, start without these rules, and add them each at a time so you can
test when ssh doesn't work anymore.


Gr,
Rob






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux