On Thu, 2006-09-07 at 22:57 +0200, Rob Sterenborg wrote: > >>> I am not able to ssh from the firewall > >>> to a client. Though the reverse is > >>> working. > >>> > >>> I would also like to put : > >>> > >>> -A OUTPUT -j DROP > >>> > >>> But if I do that clients are not able to connect > >>> to the net. I need add a rule which I could > >>> not figure out. > >> > >> You should allow SSH out when you want to be able to use it. > >> SSH listens on port 22, so this should do it: > >> > >> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >> -A OUTPUT -p tcp --dport 22 -j ACCEPT > >> -A OUTPUT -j DROP > > > > No that did not work. > > Of course not. AFAIK your current OUTPUT policy is still ACCEPT (see > below) so that should not be the problem. (Don't mess with the OUTPUT > chain untill your INPUT chain is working as you want it to.) > > >>> :INPUT ACCEPT [80:13056] > >>> -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > >> > >> It looks like eth0 is connected to the internet and eth1 to your LAN. > >> Check if outgoing ssh works using: > >> > >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > Did you try this? > If it doesn't work, put a LOG rule just before the DROP rule to see what > get's dropped when you're trying to setup an ssh session. > > >>> :OUTPUT ACCEPT [80:13056] > >>> -A OUTPUT -j ACCEPT > >>> -A OUTPUT -o lo -j ACCEPT OK, I had set : -A OUTPUT -j DROP So nothing worked. If OUTPUT is set to : -A OUTPUT -j ACCEPT Then everthing works. I can ssh, ping to clients . So how do I get it working with OUTPUT as DROP ? > > Here is where I see you're not dropping anything in the OUTPUT chain. > The first rule accepts everything so the second will never match and is > useless. Further, your chain polocy is ACCEPT, so if you're not going to > drop anything: why have rules in that chain to accept packets that would > be accepted anyway? Just get rid of the OUTPUT rules for now and leave > it's policy ACCEPT. > > > Gr, > Rob > > >