[SOLVED] iptables preventing ssh within local network

kekules_dream · 2011-07-23 00:21:19

I have updated my machines and removed tcp_wrappers. I have iptables set to reject as default on my input chain. I can ssh from one machine to another no problem as long as I stop iptables on the client first. I tried adding a rule to my iptables script as mentioned in

https://bbs.archlinux.org/viewtopic.php?id=122651

modifying only as needed for my own local network:

iptables -A INPUT -p tcp -s 192.168.1.0/100 --dport ssh -j ACCEPT

but still I can ssh to the client only if I stop iptables.

Is there something wrong with the above rule? How do I set up iptables to allow ssh from 192.168.1.0/100?

Thanks.

Last edited by kekules_dream (2011-07-24 19:18:05)

lucke · 2011-07-23 00:34:51

/100 sounds invalid. 32 is the maximum number you can put there.

http://en.wikipedia.org/wiki/Subnetwork

kekules_dream · 2011-07-23 00:46:17

I tried to add the rule manually and got:
Invalid mask `100 specified

So I am sure you are right. However, ifconfig on host definitely shows
inet addr:192.168.1.100

I am using tomato firmware in my router. Maybe I can go in there and make my host 32 or less.

stqn · 2011-07-23 06:21:45

Maybe the wikipedia article is too much to digest.

If you want to give access only to 192.168.1.100, you should write 192.168.1.100/32.
If you want to give access to all your local network, try 192.168.1.0/24.

The last number is the number of high-order bits of the IP address to take into account when doing the filtering.

fukawi2 · 2011-07-23 08:12:56

stqn wrote:

If you want to give access only to 192.168.1.100, you should write 192.168.1.100/32.
If you want to give access to all your local network, try 192.168.1.0/24.

Yes.

You are misunderstanding what CIDR masks are. The /XX represents how many bits of the IP Address from the left must match. Read more: http://en.wikipedia.org/wiki/Classless_ … in_Routing

kekules_dream · 2011-07-24 13:15:23

Thanks for that info I understand now the points about CIDR masks. However, my iptables configuration is still preventing ssh locally, with:

ssh: connect to host 192.168.1.148 port 22: Protocol not available

netstat -tnlp | grep ssh

shows that ssh is running and listening. The problem must be in my iptables setup script since I still have no problems with ssh if I stop iptables.

Could there be something wrong with my script? It is now completely up to date with the Simple Stateful Firewall wiki and contains the line for allowing all local ssh, yet still it is blocking. I make sure to stop iptables when I clear the rules or reload new ones. Iptables is current, too, 1.4.11.1-1. I have tried 100/32 also and this too blocks.

#!/bin/sh
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreach
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport ssh -j ACCEPT
/etc/rc.d/iptables save

stqn · 2011-07-24 14:07:23

iptables -A INPUT -j REJECT --reject-with icmp-proto-unreach

Anything below this in the INPUT chain is going to be ignored...
This script looks like a mess.

kekules_dream · 2011-07-24 16:10:08

Ok, I appreciate your candor. It is simply following the wiki article

https://wiki.archlinux.org/index.php/Si … l_Firewall

and all the commands are in the order given in that article, with the exception of the last one I added in an attempt to regain my ability to ssh, scp and sshfs around my local network, which I have lost due to the recent updates.

stqn · 2011-07-24 16:39:37

You can use "sudo iptables -S INPUT" to list the rules after running your script. As I said, all the rules below "-A INPUT -j REJECT" will be ignored. Change the script so that they are above .

kekules_dream · 2011-07-24 19:17:42

Working great now thanks. I modified my script in a few ways. Got rid of the -D lines and rearranged. Almost afraid to show it but I think it is better now.

#!/bin/sh
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport ssh -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreach
/etc/rc.d/iptables save

stqn · 2011-07-24 21:35:05

Great - I can't confirm everything's fine since I'm not familiar with the conntrack and recent modules, but it looks ok to me now.

fukawi2 · 2011-07-24 23:33:10

Some minor changes to "group" things properly (eg, I assume the point of the "TCP" and "UDP" chains is to separate the handling of tcp and udp traffic etc) and added some comments

#!/bin/sh
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
# Setup rules for accepting TCP traffic, finishing with an explicit REJECT for anything we don't ACCEPT
iptables -A TCP -p tcp -s 192.168.1.0/24 --dport ssh -j ACCEPT
iptables -A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -A TCP -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst

# Setup rules for accepting UDP traffic, finishing with an explicit REJECT for anything we don't ACCEPT
iptables -A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
iptables -A UDP -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach

# General sanity checking of traffic in INPUT, and dispatching calls to our "TCP" and "UDP" chains (above)
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreach
/etc/rc.d/iptables save

kekules_dream · 2011-07-25 13:28:42

Great! Thanks to all.

Arch Linux

#1 2011-07-23 00:21:19

[SOLVED] iptables preventing ssh within local network

#2 2011-07-23 00:34:51

Re: [SOLVED] iptables preventing ssh within local network

#3 2011-07-23 00:46:17

Re: [SOLVED] iptables preventing ssh within local network

#4 2011-07-23 06:21:45

Re: [SOLVED] iptables preventing ssh within local network

#5 2011-07-23 08:12:56

Re: [SOLVED] iptables preventing ssh within local network

#6 2011-07-24 13:15:23

Re: [SOLVED] iptables preventing ssh within local network

#7 2011-07-24 14:07:23

Re: [SOLVED] iptables preventing ssh within local network

#8 2011-07-24 16:10:08

Re: [SOLVED] iptables preventing ssh within local network

#9 2011-07-24 16:39:37

Re: [SOLVED] iptables preventing ssh within local network

#10 2011-07-24 19:17:42

Re: [SOLVED] iptables preventing ssh within local network

#11 2011-07-24 21:35:05

Re: [SOLVED] iptables preventing ssh within local network

#12 2011-07-24 23:33:10

Re: [SOLVED] iptables preventing ssh within local network

#13 2011-07-25 13:28:42

Re: [SOLVED] iptables preventing ssh within local network

Board footer