On Tuesday 21 of May 2013 11:07EN, Nick Khamis wrote:
> #echo -e " - Accepting SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
>
> #echo -e " - Accepting input TCP and UDP traffic to open ports"
> $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
>
> #echo -e " - Accepting output TCP and UDP traffic to open ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
>
> #echo -e " - Dropping input TCP and UDP traffic to closed ports"
> # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
>
> #echo -e " - Dropping output TCP and UDP traffic to closed ports"
> # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
>
> Everything works fine with the REJECT rules commented out, but when
> included SSH access is blocked out. Not sure why, isn't the sequence
> correct (i.e., the ACCPET entries before the DROP and REJECT)?
You send only syn packets into TCP chain so if these are all rules you
have, every other TCP packet is rejected (both in INPUT and OUTPUT).
Michal Kubeček
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
