This is what I-ve got
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 xxx icmp type 8 state
NEW,RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 xxx icmp type 0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpt:22 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpts:2370:2371 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpt:1521 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpt:5901 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpts:9006:9007 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpt:21 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 xxx tcp
spts:1024:65535 dpt:20 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 xxx udp
spts:1024:65535 dpts:67:68
ACCEPT udp -- 0.0.0.0/0 xxx udp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 xxx udp spt:53 dpt:53
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT icmp -- xxx 0.0.0.0/0 icmp type 0 state
RELATED,ESTABLISHED
ACCEPT icmp -- xxx 0.0.0.0/0 icmp type 8 state
NEW,RELATED,ESTABLISHED
ACCEPT udp -- xxx 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT udp -- xxx 0.0.0.0/0 udp spt:53 dpt:53
I create the rules like this
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
Then something like this
for puerto in $TCP
do
$IPTABLES -A INPUT -p tcp -s $LAN -d $D_IN \
--dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT
done
for puerto in $UDP
do
$IPTABLES -A INPUT -p udp -s $LAN -d $D_IN \
--dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT
done
}
Thanks for your help
Best Regards
2012/8/27 叶雨飞 <sunyucong@xxxxxxxxx>:
> the second rule is not needed, it's being shown that it has matched 0
> packet anyway.
>
> Do you have anything else in other table? like raw/nat ?
>
> On Mon, Aug 27, 2012 at 12:51 PM, Net Warrior <netwarrior863@xxxxxxxxx> wrote:
>> Hi there.
>> I've got a simple question regarding ssh configuration.
>> Reading the documentation and googling, It seems that to enable ssh is
>> the simple thing in the world, I've got this.
>>
>> $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\
>> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>>
>> With this rule I can connec to the machine, so far so good, now if I
>> want to do scp or to scp to another machine I get blocked,
>> I permit ALL the output chain.
>>
>> The only way I'm able to do ssh to another host or do scp is by adding this
>>
>> $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\
>> --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>>
>> So I've got this
>> 8 560 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
>> 0.0.0.0/0 tcp spt:22 state NEW,ESTABLISHED
>> With this two rules I can ssh to another host and do scp, I'm confused
>> cuz all the examples I've been reading do not
>> talk to enable both, only destination port.
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>>
>> Is this the right way or I'm missing reading something?
>>
>> Thanks in advance
>> Best Regards
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
