RE: not able to ssh from the firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2006-09-06 at 07:31 +0200, Rob Sterenborg wrote:
> > Hello,
> > 
> > Basically I am allowing internet on the
> > firewall as well as nating to 2 clients.
> > 
> > I am not able to ssh from the firewall
> > to a client. Though the reverse is
> > working.
> > 
> > I would also like to put :
> > 
> > -A OUTPUT -j DROP
> > 
> > But if I do that clients are not able to connect
> > to the net. I need add a rule which I could
> > not figure out.
> 
> You should allow SSH out when you want to be able to use it.
> SSH listens on port 22, so this should do it:
> 
> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A OUTPUT -p tcp --dport 22 -j ACCEPT
> -A OUTPUT -j DROP

No that did not work.
> 
> > Please comment and correct.
> > 
> > My rules as follows.
> > 
> > 
> > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006
> > *nat
> >: OUTPUT ACCEPT [0:0]
> >: PREROUTING ACCEPT [0:0]
> >: POSTROUTING ACCEPT [0:0]
> > -A POSTROUTING -o eth0 -s 192.168.15.0/24 -j MASQUERADE
> > COMMIT
> > # Completed on Sat Jul 22 13:14:10 2006
> > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006
> > *mangle
> >: PREROUTING ACCEPT [80:13056]
> >: INPUT ACCEPT [80:13056]
> >: FORWARD ACCEPT [0:0]
> >: OUTPUT ACCEPT [80:13056]
> >: POSTROUTING ACCEPT [80:13056]
> > COMMIT
> > # Completed on Sat Jul 22 13:14:10 2006
> > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006
> > *filter
> >: INPUT ACCEPT [80:13056]
> > -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> It looks like eth0 is connected to the internet and eth1 to your LAN.
> Check if outgoing ssh works using:
> 
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -p icmp -j ACCEPT
> > -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
> > -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
> > -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
> > -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
> > -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
> 
> So, you are accepting ftp for the firewall on eth1. See below (FORWARD).
> 
> > -A INPUT -j DROP
> >: FORWARD ACCEPT [0:0]
> >: OUTPUT ACCEPT [80:13056]
> > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED
> > -j ACCEPT 
> 
> I would make that:
> 
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
> 
> > -A FORWARD -i eth1 -o eth0 -s 192.168.15.5 -j ACCEPT
> > -A FORWARD -i eth1 -o eth0 -s 192.168.15.9 -j ACCEPT
> > -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
> 
> And you allow ftp forwarding on eth1 to eth0.
> Either one (see above) is going to work, not both. Since you are
> masquerading everything from 192.168.15.0/24 via eth0, I'd say this rule
> has hits and the rule in the INPUT chain doesn't.
> (Check with "iptables -nvL INPUT" and "iptables -nvL FORWARD".)
> 
> > -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -j ACCEPT
> > -A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT
> > -A FORWARD -i eth1 -o eth0 -p tcp --dport 119 -j ACCEPT
> > -A FORWARD -p udp --dport 53 -j ACCEPT
> > -A FORWARD -j DROP
> > -A OUTPUT -j ACCEPT
> > -A OUTPUT -o lo -j ACCEPT
> 
> This seems useless to me. There are no DROP rules in the OUTPUT chain
> and policy is set to ACCEPT. These packets would be accepted anyway.
> 
> > COMMIT
> > # Completed on Sat Jul 22 13:14:10 2006
> > 
> >                        ---------- end rules --------------
> 
> Instead of have a last rule with a DROP target, you can also just set
> the chain policy to DROP.
> 
> 
> Gr,
> Rob
> 
> 
> 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux