[Solved] Did the iptables tutorial - SSH doesn't work

cyberius · 2011-04-11 19:32:51

Hi

I followed the https://wiki.archlinux.org/index.php/Si … l_Firewall tutorial and added

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

(like cactus suggested in https://bbs.archlinux.org/viewtopic.php?pid=69595).

Sadly I still can't connect to the ssh server on my linux box, I immediately get a "connection refused".

This is my iptables.rules

]$ cat vim /etc/iptables/iptables.rules
cat: vim: No such file or directory
# Generated by iptables-save v1.4.10 on Mon Apr 11 21:20:30 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:304]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr 11 21:20:30 2011

By turning OFF iptables, SSH works again. So something must be wrong?

Thanks!

Last edited by cyberius (2011-04-11 22:06:54)

Revelation60 · 2011-04-11 20:43:38

You should try and move the ssh-line up in the file. It looks like one of the lines above it may actually block all requests. iptables rules are executed linearly.

cyberius · 2011-04-11 21:04:25

So how do I add new exceptions for iptables, when I later want to allow other ports, e.g. game servers?

Do I always have to move them up?
The tutorial didn't say anything about this.

Last edited by cyberius (2011-04-11 21:05:15)

thestinger · 2011-04-11 21:08:11

The guide sets up two chains for opening TCP and UDP ports, you've currently opened port 80 TCP and port 53 UDP:

-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT

You should remove those if you're not running a web server/dns server - in fact, just change --dport 80 to --dport 22 for ssh and then get rid of the line opening port 53 UDP.

https://wiki.archlinux.org/index.php/Si … PEN_chains

You can use this to open a TCP port at any time:

iptables -A TCP -p tcp --dport ###  -j ACCEPT

Or to open a range of ports:

iptables -A UDP -p udp --dport 1630:1638 -j ACCEPT

Or just several ports:

iptables -A TCP -p tcp -m multiport --dports 80,1720,7777 -j ACCEPT

Last edited by thestinger (2011-04-11 21:12:27)

cyberius · 2011-04-11 22:05:48

thestinger Thank you very much for your answer!
It works and I finally understand the whole iptables thing.

My SSH didn't work earlier, because the custom rule was AFTER

REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

So simple... again I learned something

Last edited by cyberius (2011-04-11 22:06:34)

Arch Linux

#1 2011-04-11 19:32:51

[Solved] Did the iptables tutorial - SSH doesn't work

#2 2011-04-11 20:43:38

Re: [Solved] Did the iptables tutorial - SSH doesn't work

#3 2011-04-11 21:04:25

Re: [Solved] Did the iptables tutorial - SSH doesn't work

#4 2011-04-11 21:08:11

Re: [Solved] Did the iptables tutorial - SSH doesn't work

#5 2011-04-11 22:05:48

Re: [Solved] Did the iptables tutorial - SSH doesn't work

Board footer