the second rule is not needed, it's being shown that it has matched 0 packet anyway. Do you have anything else in other table? like raw/nat ? On Mon, Aug 27, 2012 at 12:51 PM, Net Warrior <netwarrior863@xxxxxxxxx> wrote: > Hi there. > I've got a simple question regarding ssh configuration. > Reading the documentation and googling, It seems that to enable ssh is > the simple thing in the world, I've got this. > > $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\ > --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT > > With this rule I can connec to the machine, so far so good, now if I > want to do scp or to scp to another machine I get blocked, > I permit ALL the output chain. > > The only way I'm able to do ssh to another host or do scp is by adding this > > $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\ > --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT > > So I've got this > 8 560 ACCEPT tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED > 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 state NEW,ESTABLISHED > With this two rules I can ssh to another host and do scp, I'm confused > cuz all the examples I've been reading do not > talk to enable both, only destination port. > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > Is this the right way or I'm missing reading something? > > Thanks in advance > Best Regards > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
