[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: ssh configuration issue / doubt
From:       Net Warrior <netwarrior863 () gmail ! com>
Date:       2012-08-28 11:52:32
Message-ID: CAP7y58PYfjp9MOugHHi57+KdS3FtjyX0JwxJbmtsOCW9Hj05sg () mail ! gmail ! com
[Download RAW message or body]

Thank Very much, really appreciated your help and time.

Best regards
Have a nice day.

2012/8/27 Sven-Haegar Koch <haegar@sdinet.de>:
> On Mon, 27 Aug 2012, Net Warrior wrote:
>
>> This is what I-ve got
>>
>> Chain INPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  127.0.0.1            0.0.0.0/0
>> ACCEPT     icmp --  0.0.0.0/0            xxx        icmp type 8 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT     icmp --  0.0.0.0/0            xxx        icmp type 0 state
>> RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpt:22 state NEW,RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpts:2370:2371 state NEW,RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpt:1521 state NEW,RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpt:5901 state NEW,RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpts:9006:9007 state NEW,RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpt:21 state NEW,RELATED,ESTABLISHED
>> ACCEPT     tcp  --  0.0.0.0/0            xxx        tcp
>> spts:1024:65535 dpt:20 state NEW,RELATED,ESTABLISHED
>> ACCEPT     udp  --  0.0.0.0/0            xxx        udp
>> spts:1024:65535 dpts:67:68
>> ACCEPT     udp  --  0.0.0.0/0            xxx        udp spt:53 dpts:1024:65535
>> ACCEPT     udp  --  0.0.0.0/0            xxx        udp spt:53 dpt:53
>
> You are missing a rule allowing answers to outgoing connections back in.
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> as the first rule.
>
> (You have something like this, but only for icmp type 0)
>
> Then you should also be able to remove the last two --sport 53 udp
> rules, which I think you're using for dns answers.
>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  127.0.0.1            0.0.0.0/0
>> ACCEPT     icmp --  xxx         0.0.0.0/0           icmp type 0 state
>> RELATED,ESTABLISHED
>> ACCEPT     icmp --  xxx         0.0.0.0/0           icmp type 8 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT     udp  --  xxx         0.0.0.0/0           udp spts:1024:65535 dpt:53
>> ACCEPT     udp  --  xxx         0.0.0.0/0           udp spt:53 dpt:53
>
> As OUTPUT is policy ACCEPT you don't need any of these rules.
>
> If you want to make it explicit use something like
>
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> as the first rule.
>
> c'ya
> sven-haegar
>
> --
> Three may keep a secret, if two of them are dead.
> - Ben F.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]