Ah, I see what's the problem, you are basically confusing two different issue. 1) for allowing ssh into this machine, your first rule is correct and only one needed. 2) for allowing ssh out to other machine on that machine (it doesn't matter you have sshed in, it's the same), you should have following 2.a) in chain OUTPUT , either have policy ALLOW or specificly allow dport=22 state=NEW 2.b) in chain INPUT, either allow everything -m ESTABLISHED or allow -spt 22 -m ESTABLISHED. because when reply packet hit your INPUT chain, it would have spt=22, dpt=(whatever local port your ssh choose), state=ESTABLISHED , and you can see without your second rule your policy just DROP this packet. So, usually this is what I do on input POLICY: DROP iptables -A INPUT -i lo0 -j ACCEPT iptables -A INPUT -m state --state ESTABILISHED,RELATED -j ACCEPT <.... your other inbound rules> On Mon, Aug 27, 2012 at 1:21 PM, Net Warrior <netwarrior863@xxxxxxxxx> wrote: > The rule is used as can see when I ssh to another host, as long as I > do not connect to another host the rule is not used. > > 107 8396 ACCEPT tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED > 13 2569 ACCEPT tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 state NEW,ESTABLISHED > > Thanks for your time and support > Regards > > > 2012/8/27 Net Warrior <netwarrior863@xxxxxxxxx>: >> This is what I-ve got >> >> Chain INPUT (policy DROP) >> target prot opt source destination >> ACCEPT all -- 127.0.0.1 0.0.0.0/0 >> ACCEPT icmp -- 0.0.0.0/0 xxx icmp type 8 state >> NEW,RELATED,ESTABLISHED >> ACCEPT icmp -- 0.0.0.0/0 xxx icmp type 0 state >> RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpt:22 state NEW,RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpts:2370:2371 state NEW,RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpt:1521 state NEW,RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpt:5901 state NEW,RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpts:9006:9007 state NEW,RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpt:21 state NEW,RELATED,ESTABLISHED >> ACCEPT tcp -- 0.0.0.0/0 xxx tcp >> spts:1024:65535 dpt:20 state NEW,RELATED,ESTABLISHED >> ACCEPT udp -- 0.0.0.0/0 xxx udp >> spts:1024:65535 dpts:67:68 >> ACCEPT udp -- 0.0.0.0/0 xxx udp spt:53 dpts:1024:65535 >> ACCEPT udp -- 0.0.0.0/0 xxx udp spt:53 dpt:53 >> >> Chain FORWARD (policy DROP) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> ACCEPT all -- 127.0.0.1 0.0.0.0/0 >> ACCEPT icmp -- xxx 0.0.0.0/0 icmp type 0 state >> RELATED,ESTABLISHED >> ACCEPT icmp -- xxx 0.0.0.0/0 icmp type 8 state >> NEW,RELATED,ESTABLISHED >> ACCEPT udp -- xxx 0.0.0.0/0 udp spts:1024:65535 dpt:53 >> ACCEPT udp -- xxx 0.0.0.0/0 udp spt:53 dpt:53 >> >> I create the rules like this >> >> $IPTABLES -F >> $IPTABLES -Z >> $IPTABLES -X >> >> $IPTABLES -P INPUT DROP >> $IPTABLES -P OUTPUT ACCEPT >> $IPTABLES -P FORWARD DROP >> >> Then something like this >> >> for puerto in $TCP >> do >> $IPTABLES -A INPUT -p tcp -s $LAN -d $D_IN \ >> --dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT >> >> done >> >> >> for puerto in $UDP >> do >> $IPTABLES -A INPUT -p udp -s $LAN -d $D_IN \ >> --dport $puerto -m state --state NEW,ESTABLISHED -j ACCEPT >> >> done >> >> >> } >> >> Thanks for your help >> Best Regards >> 2012/8/27 叶雨飞 <sunyucong@xxxxxxxxx>: >>> the second rule is not needed, it's being shown that it has matched 0 >>> packet anyway. >>> >>> Do you have anything else in other table? like raw/nat ? >>> >>> On Mon, Aug 27, 2012 at 12:51 PM, Net Warrior <netwarrior863@xxxxxxxxx> wrote: >>>> Hi there. >>>> I've got a simple question regarding ssh configuration. >>>> Reading the documentation and googling, It seems that to enable ssh is >>>> the simple thing in the world, I've got this. >>>> >>>> $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\ >>>> --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT >>>> >>>> With this rule I can connec to the machine, so far so good, now if I >>>> want to do scp or to scp to another machine I get blocked, >>>> I permit ALL the output chain. >>>> >>>> The only way I'm able to do ssh to another host or do scp is by adding this >>>> >>>> $IPTABLES -A INPUT -i $ETH_PRIMARY -p tcp -s $ANY_MACHINE\ >>>> --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT >>>> >>>> So I've got this >>>> 8 560 ACCEPT tcp -- eth0 * 0.0.0.0/0 >>>> 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED >>>> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 >>>> 0.0.0.0/0 tcp spt:22 state NEW,ESTABLISHED >>>> With this two rules I can ssh to another host and do scp, I'm confused >>>> cuz all the examples I've been reading do not >>>> talk to enable both, only destination port. >>>> >>>> Chain OUTPUT (policy ACCEPT) >>>> target prot opt source destination >>>> >>>> >>>> Is this the right way or I'm missing reading something? >>>> >>>> Thanks in advance >>>> Best Regards >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in >>>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
