Arch Linux

raeste

Member

Registered: 2011-10-01

Posts: 16

[Solved]IPtables blocks ssh

Hello everyone,

when I trie to connect to my laptop via ssh I get an port 22 connection refused error.
When I stop IP Tables the connection will be made.
sshd is running.

"iptables -S" gives the following output:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT

and iptables -L gives that output

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
ACCEPT     tcp  --  anywhere             anywhere             state NEW,RELATED,ESTABLISHED tcp dpt:ssh

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain TCP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain UDP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

I have set up IPTables like the guide in this wiki.

what have I done wrong??

Last edited by raeste (2011-10-01 16:53:35)

fukawi2

Ex-Administratorino

From: .vic.au

Registered: 2007-09-28

Posts: 6,233

Website

Re: [Solved]IPtables blocks ssh

Rules are evaluated in order... Hence the REJECT rule on line 8 matches before your ACCEPT at the end of the INPUT chain. Move the ACCEPT above this point (or append it to the "TCP" chain, which would be better given the logical layout in your current rules)

Last edited by fukawi2 (2011-10-01 14:38:48)

---

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

raeste

Member

Registered: 2011-10-01

Posts: 16

Re: [Solved]IPtables blocks ssh

thanks fukawi2

a simple

iptables -A TCP -p tcp -m tcp --dport 22 -j ACCEPT

has solved the problem.