Re: ssh configuration issue / doubt

Net Warrior <netwarrior863@xxxxxxxxx> · Mon, 27 Aug 2012 17:21:10 -0300

The rule is used as  can see when I ssh to another host, as long as I
do not connect to another host the rule is not used.

107  8396 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED
   13  2569 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp spt:22 state NEW,ESTABLISHED

Thanks for your time and support
Regards

2012/8/27 Net Warrior <netwarrior863@xxxxxxxxx>:
> This is what I-ve got
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.1            0.0.0.0/0
> ACCEPT     icmp --  0.0.0.0/0            xxx        icmp type 8 state
> NEW,RELATED,ESTABLISHED
> ACCEPT     icmp --  0.0.0.0/0            xxx        icmp type 0 state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpt:22 state NEW,RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpts:2370:2371 state NEW,RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpt:1521 state NEW,RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpt:5901 state NEW,RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpts:9006:9007 state NEW,RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpt:21 state NEW,RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
> spts:1024:65535 dpt:20 state NEW,RELATED,ESTABLISHED
> ACCEPT     udp  --  0.0.0.0/0            xxx        udp
> spts:1024:65535 dpts:67:68
> ACCEPT     udp  --  0.0.0.0/0            xxx        udp spt:53 dpts:1024:65535
> ACCEPT     udp  --  0.0.0.0/0            xxx        udp spt:53 dpt:53
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  127.0.0.1            0.0.0.0/0
> ACCEPT     icmp --  xxx         0.0.0.0/0           icmp type 0 state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  xxx         0.0.0.0/0           icmp type 8 state
> NEW,RELATED,ESTABLISHED
> ACCEPT     udp  --  xxx         0.0.0.0/0           udp spts:1024:65535 dpt:53
> ACCEPT     udp  --  xxx         0.0.0.0/0           udp spt:53 dpt:53
>
> I create the rules like this
>
>   $IPTABLES -F
>   $IPTABLES -Z
>   $IPTABLES -X
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT  ACCEPT
> $IPTABLES -P FORWARD DROP
>
> Then something like this
>
> for puerto in $TCP
>    do
>      $IPTABLES -A INPUT -p tcp -s $LAN  -d $D_IN \
>         --dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT
>
>    done
>
>
> for puerto in $UDP
>    do
>      $IPTABLES -A INPUT -p udp -s $LAN -d $D_IN \
>         --dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT
>
>    done
>
>
> }
>
> Thanks for your help
> Best Regards
> 2012/8/27 叶雨飞 <sunyucong@xxxxxxxxx>:
>> the second rule is not needed, it's being shown that it has matched 0
>> packet anyway.
>>
>> Do you have anything else in other table? like raw/nat ?
>>
>> On Mon, Aug 27, 2012 at 12:51 PM, Net Warrior <netwarrior863@xxxxxxxxx> wrote:
>>> Hi there.
>>> I've got a simple question regarding ssh configuration.
>>> Reading the documentation and googling, It seems that to enable ssh is
>>> the simple thing in the world, I've got this.
>>>
>>>  $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\
>>>         --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>>>
>>> With this rule I can connec to the machine, so far so good, now if I
>>> want to do scp or to scp to another machine I get blocked,
>>> I permit ALL the output chain.
>>>
>>> The only way I'm able to do ssh to another host or do scp is by adding this
>>>
>>>  $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\
>>>         --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
>>>
>>> So I've got this
>>>  8   560 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>>> 0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED
>>>     0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
>>> 0.0.0.0/0           tcp spt:22 state NEW,ESTABLISHED
>>> With this two rules I can ssh to another host and do scp, I'm confused
>>> cuz all the examples I've been reading do not
>>> talk to enable both, only destination port.
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>>
>>> Is this the  right way or I'm missing reading something?
>>>
>>> Thanks in advance
>>> Best Regards
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html