You are not logged in.
Hi,
I followed the simple stateful firewall-guide on the wiki and got locked out of my ssh-connection.
Now I wonder if there is a mistake on my side or maybe the wiki page should be edited. I wanted to clarify this before I start editing the guide, as I am quite new to iptables.
In the guide, it says to add the following rule:
-P INPUT DROPNot without mentioning that one should first add a rule allowing ssh-traffic looking like this:
-A TCP -p tcp --dport 22 -j ACCEPTThis actually still got me locked out. Adding this rule helped:
-A INPUT -p tcp --dport 22 -j ACCEPTFurthermore, maybe there should be a hint on how to automatically restore iptables-rules in case on does get locked out - on my machine, a
shutdown -r +5sufficed
Offline
You have to be extremely careful, and know what you're doing, to safely, remotely change such fundamental security aspects on a PC ![]()
There is a big pink warning at the top of the wiki page.
Offline
I know, as it says in my post. I got back in, I was just wondering if there maybe is something missing in the wiki page.
Offline
In my experience, iptables is not for amateurs. Consider using a helper like ufw or shorewall.
Offline
Still, if there is a mistake in the wiki, it should be fixed, right?
Offline
The wiki page says:
Warning: This is the step where you will be locked out if you are logged in via SSH. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.
Note the pink background, and the boldness. Not bold enough? ![]()
Offline
And to prevent this, the wiki says to add a rule in the TCP chain which allows tcp traffic via port 22:
-A TCP -p tcp --dport 22 -j ACCEPTBut that does not prevent you from being locked out, applying the same rule to the INPUT chain does:
-A INPUT -p tcp --dport 22 -j ACCEPTThat's where I think the wiki is incorrect.
Offline
You're right - fixed now ![]()
Offline