You are not logged in.
- Topics: Active | Unanswered
#1 2014-11-09 12:28:23
- Archlinuxomane
- Member
- Registered: 2012-05-18
- Posts: 19
simple stateful firewall-guide - ssh lock-out
Hi,
I followed the simple stateful firewall-guide on the wiki and got locked out of my ssh-connection.
Now I wonder if there is a mistake on my side or maybe the wiki page should be edited. I wanted to clarify this before I start editing the guide, as I am quite new to iptables.
In the guide, it says to add the following rule:
-P INPUT DROPNot without mentioning that one should first add a rule allowing ssh-traffic looking like this:
-A TCP -p tcp --dport 22 -j ACCEPTThis actually still got me locked out. Adding this rule helped:
-A INPUT -p tcp --dport 22 -j ACCEPTFurthermore, maybe there should be a hint on how to automatically restore iptables-rules in case on does get locked out - on my machine, a
shutdown -r +5sufficed
Offline
#2 2014-11-09 13:44:10
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: simple stateful firewall-guide - ssh lock-out
You have to be extremely careful, and know what you're doing, to safely, remotely change such fundamental security aspects on a PC 
There is a big pink warning at the top of the wiki page.
Offline
#3 2014-11-09 14:00:32
- Archlinuxomane
- Member
- Registered: 2012-05-18
- Posts: 19
Re: simple stateful firewall-guide - ssh lock-out
I know, as it says in my post. I got back in, I was just wondering if there maybe is something missing in the wiki page.
Offline
#4 2014-11-09 14:26:07
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,697
- Website
Re: simple stateful firewall-guide - ssh lock-out
In my experience, iptables is not for amateurs. Consider using a helper like ufw or shorewall.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#5 2014-11-10 20:01:26
- Archlinuxomane
- Member
- Registered: 2012-05-18
- Posts: 19
Re: simple stateful firewall-guide - ssh lock-out
Still, if there is a mistake in the wiki, it should be fixed, right?
Offline
#6 2014-11-10 21:13:28
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: simple stateful firewall-guide - ssh lock-out
The wiki page says:
Warning: This is the step where you will be locked out if you are logged in via SSH. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.
Note the pink background, and the boldness. Not bold enough? 
Offline
#7 2014-11-10 21:18:26
- Archlinuxomane
- Member
- Registered: 2012-05-18
- Posts: 19
Re: simple stateful firewall-guide - ssh lock-out
And to prevent this, the wiki says to add a rule in the TCP chain which allows tcp traffic via port 22:
-A TCP -p tcp --dport 22 -j ACCEPTBut that does not prevent you from being locked out, applying the same rule to the INPUT chain does:
-A INPUT -p tcp --dport 22 -j ACCEPTThat's where I think the wiki is incorrect.
Offline
#8 2014-11-10 21:39:16
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: simple stateful firewall-guide - ssh lock-out
You're right - fixed now 
Offline