> OK, I had set : > > -A OUTPUT -j DROP > > So nothing worked. > > If OUTPUT is set to : > > -A OUTPUT -j ACCEPT > > Then everthing works. I can ssh, ping to clients . > > So how do I get it working with OUTPUT as DROP ? I take it you have: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT as your first INPUT rule to take care of returning packets. An SSH server binds to port 22/tcp: you will be connecting to destination port 22/tcp which is what you'll have to ACCEPT. Therefore this should do it: :OUTPUT DROP [80:13056] -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state NEW -o lo -j ACCEPT -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT This way you'll be blocking *everything* else, including DNS lookups. So, before you say it doesn't work, without these rules you'd only be able to connect using an IP address: -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT If it doesn't work , add this to see what packets get logged when you're trying to connect to the SSH server: -A OUTPUT -j LOG --log-prefix "IPT: " If you want to be able to do *anything* else, you must write a rule to accept it. Gr, Rob
