You are not logged in.

#1 2006-04-27 08:28:55

riwa
Member
From: Lund, Sweden
Registered: 2006-04-04
Posts: 215

Will an "iptable" firewall block ssh?

I'm reading on wiki about configuring a firewall but it tells me:

wiki-pages wrote:

BIG FAT WARNING: For simplicity, the rules are given in the order that they are executed later. If you are logged into a remote machine, following the rules in the exact order they are given MAY result in your machine being unavailable to the network. Only do the steps below while you are logged in locally unless you know what you are doing. You have been warned.

Does that include ssh? If so how can I bypass that effct on ssh? I haven't touched it due to this warning.

/Richard


If you must have must. Have must.
- DKE supporters about this wonderful swedish soda.

Offline

#2 2006-04-27 11:26:05

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: Will an "iptable" firewall block ssh?

It will block everything, except the stuff you allow. If you don't allow SSH, then it will block it. But only once start IPtables is started: you can set up the rules and add a line to allow SSH. After starting IPtables, things should be fine. Of course, when you forget that line, you'll need physical access to the box in order to correct it.


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#3 2006-04-27 16:35:21

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: Will an "iptable" firewall block ssh?

If you have local access to the machine, do it locally. This way, you cannot do anything wrong. If you can only access it remotely, then you have to add the rules in the right order:

Skip these three rules at the end of section 2.2:

# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
# iptables -P INPUT DROP

Then proceed with the "open" chain and add the ssh rule:

# iptables -A open -p tcp --dport 22 -j ACCEPT

Then add the three rules that you skipped above. This way, you will allow incoming ssh connections before blocking anything else.

If you are setting up a firewall from a remote machine, it is vital that you know what the effect of every rule that you add is. Incomplete rulesets may lock you out completely - which is a very unpleasant experience.
Make sure you understand the concept of iptables and iptables rules. Make sure you understand what the rules mean before you are adding them. The iptables manpage and netfilter.org are great help with this.

Offline

#4 2006-04-27 20:54:31

riwa
Member
From: Lund, Sweden
Registered: 2006-04-04
Posts: 215

Re: Will an "iptable" firewall block ssh?

Well it's on a local machine so it's not that serious. I'll try it later when I have access.


If you must have must. Have must.
- DKE supporters about this wonderful swedish soda.

Offline

Board footer

Powered by FluxBB