You are not logged in.
Hi
I followed the https://wiki.archlinux.org/index.php/Si … l_Firewall tutorial and added
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
(like cactus suggested in https://bbs.archlinux.org/viewtopic.php?pid=69595).
Sadly I still can't connect to the ssh server on my linux box, I immediately get a "connection refused".
This is my iptables.rules
]$ cat vim /etc/iptables/iptables.rules
cat: vim: No such file or directory
# Generated by iptables-save v1.4.10 on Mon Apr 11 21:20:30 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:304]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr 11 21:20:30 2011
By turning OFF iptables, SSH works again. So something must be wrong?
Thanks!
Last edited by cyberius (2011-04-11 22:06:54)
Offline
You should try and move the ssh-line up in the file. It looks like one of the lines above it may actually block all requests. iptables rules are executed linearly.
Offline
So how do I add new exceptions for iptables, when I later want to allow other ports, e.g. game servers?
Do I always have to move them up?
The tutorial didn't say anything about this.
Last edited by cyberius (2011-04-11 21:05:15)
Offline
The guide sets up two chains for opening TCP and UDP ports, you've currently opened port 80 TCP and port 53 UDP:
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
You should remove those if you're not running a web server/dns server - in fact, just change --dport 80 to --dport 22 for ssh and then get rid of the line opening port 53 UDP.
https://wiki.archlinux.org/index.php/Si … PEN_chains
You can use this to open a TCP port at any time:
iptables -A TCP -p tcp --dport ### -j ACCEPT
Or to open a range of ports:
iptables -A UDP -p udp --dport 1630:1638 -j ACCEPT
Or just several ports:
iptables -A TCP -p tcp -m multiport --dports 80,1720,7777 -j ACCEPT
Last edited by thestinger (2011-04-11 21:12:27)
Offline
thestinger Thank you very much for your answer!
It works and I finally understand the whole iptables thing.
My SSH didn't work earlier, because the custom rule was AFTER
REJECT tcp -- anywhere anywhere reject-with tcp-reset
So simple... again I learned something
Last edited by cyberius (2011-04-11 22:06:34)
Offline