From: Sven Schuster <schuster.sven@gmx.de>
To: netfilter@lists.netfilter.org
Subject: Re: IPTABLES and SSH
Date: Thu, 16 Jan 2003 12:07:01 +0100 [thread overview]
Message-ID: <3E269255.30908@gmx.de> (raw)
In-Reply-To: 1042713729.485.14.camel@rayw.knowledgefactory.co.za
Maybe a better way would be to use stateful checking, like
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 \
-m state --state ESTABLISHED -j ACCEPT
Regards
Sven
Raymond Leach wrote:
>On Thu, 2003-01-16 at 12:13, Steffen Bisgaard wrote:
>
>
>>Hallo everybody,
>>
>>This is the first time I use this feature so if I am doing anything wrong
>>please bear with me...
>>
>>I have the following iptables running on a RH7.3 machine. Can anybody tell
>>me why I am unable to ssh to the machine when iptables is running?
>>
>>For the SSH part I have also tried:
>>
>>
>>iptables -I INPUT -i $EXTERNAL_INTERFACE -p tcp --dport 22 --sport
>>1024:65535 -j ACCEPT
>>
>>
>>
>You also need to allow the server to respond:
>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --sport 22 --dport
>1024:65535 -j ACCEPT
>
>Have you checked your firewall log file for other clues?
>
>
>
>>but still no go...
>>
>>
>># --------------------------------------------------------------------------
>>--
>>#
>># Invoked from /etc/rc.d/init.d/iptables.
>># chkconfig: - 60 95
>># description: Starts and stops the IPTABLES packet filter \
>># used to provide firewall network services.
>># Source function library.
>>. /etc/rc.d/init.d/functions
>># Source networking configuration.
>>. /etc/sysconfig/network
>># Check that networking is up.
>>if [ ${NETWORKING} = "no" ]
>>then
>>exit 0
>>fi
>>if [ ! -x /sbin/iptables ]; then
>>exit 0
>>fi
>># See how we were called.
>>case "$1" in
>>start)
>>echo -n "Starting Firewalling: "
>># --------------------------------------------------------------------------
>>--
>># Some definitions for easy maintenance.
>># EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
>>#IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
>>IPADDR="10.2.0.28"
>>EXTERNAL_INTERFACE="eth0" # Internet connected interface
>>LOOPBACK_INTERFACE="lo" # Your local naming convention
>>PRIMARY_NAMESERVER="212.120.66.194" # Your Primary Name Server
>>SECONDARY_NAMESERVER="212.120.66.195" # Your Secondary Name Server
>>#SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
>>LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
>>CLASS_A="10.0.0.0/8" # Class A private networks
>>CLASS_B="172.16.0.0/12" # Class B private networks
>>CLASS_C="192.168.0.0/16" # Class C private networks
>>CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
>>CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
>>BROADCAST_SRC="0.0.0.0" # Broadcast source addr
>>BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
>>PRIVPORTS="0:1023" # Privileged port range
>>UNPRIVPORTS="1024:" # Unprivileged port range
>># --------------------------------------------------------------------------
>>--
>># The SSH client starts at 1023 and works down to 513 for each
>># additional simultaneous connection originating from a privileged port.
>># Clients can optionally be configured to use only unprivileged ports.
>>SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
>>SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
>># traceroute usually uses -S 32769:65535 -D 33434:33523
>>TRACEROUTE_SRC_PORTS="32769:65535"
>>TRACEROUTE_DEST_PORTS="33434:33523"
>># --------------------------------------------------------------------------
>>--
>># Default policy is DENY
>># Explicitly accept desired INCOMING & OUTGOING connections
>># Remove all existing rules belonging to this filter
>>iptables -F
>># Remove any existing user-defined chains.
>>iptables -X
>># Set the default policy of the filter to deny.
>>iptables -P INPUT DROP
>>iptables -P OUTPUT DROP
>>iptables -P FORWARD DROP
>># --------------------------------------------------------------------------
>>--
>># LOOPBACK
>># --------
>># Unlimited traffic on the loopback interface.
>>iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
>>iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># SPOOFING & BAD ADDRESSES
>># Refuse spoofed packets.
>># Ignore blatantly illegal source addresses.
>># Protect yourself from sending to bad addresses.
>># Refuse incoming packets pretending to be from the external address.
>>iptables -A INPUT -s $IPADDR -j DROP
>># Refuse incoming packets claiming to be from a Class A, B or C private
>>##network
>>iptables -A INPUT -s $CLASS_A -j DROP
>>iptables -A INPUT -s $CLASS_B -j DROP
>>iptables -A INPUT -s $CLASS_C -j DROP
>># Refuse broadcast address SOURCE packets
>>iptables -A INPUT -s $BROADCAST_DEST -j DROP
>>iptables -A INPUT -d $BROADCAST_SRC -j DROP
>># Refuse Class D multicast addresses
>># Multicast is illegal as a source address.
>># Multicast uses UDP.
>>iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
>># Refuse Class E reserved IP addresses
>>iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
>># Refuse special addresses defined as reserved by the IANA.
>># Note: The remaining reserved addresses are not included
>># filtering them causes problems as reserved blocks are
>># being allocated more often now. The following are based on
>># reservations as listed by IANA as of 2001/01/04. Please regularly
>># check at http://www.iana.org/ for the latest status.
>># Note: this list includes the loopback, multicast, & reserved addresses.
>># 0.*.*.* - Can't be blocked for DHCP users.
>># 127.*.*.* - LoopBack
>># 169.254.*.* - Link Local Networks
>># 192.0.2.* - TEST-NET
>># 224-255.*.*.* - Classes D & E, plus unallocated.
>>iptables -A INPUT -s 0.0.0.0/8 -j DROP
>>iptables -A INPUT -s 127.0.0.0/8 -j DROP
>>iptables -A INPUT -s 169.254.0.0/16 -j DROP
>>iptables -A INPUT -s 192.0.2.0/24 -j DROP
>>iptables -A INPUT -s 224.0.0.0/3 -j DROP
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># UDP TRACEROUTE
>># --------------
>># traceroute usually uses -S 32769:65535 -D 33434:33523
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>--source-port $TRACEROUTE_SRC_PORTS \
>>-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
>>-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
>>--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># DNS forward-only nameserver
>># ---------------------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>-s $PRIMARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $PRIMARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>-s $SECONDARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $SECONDARY_NAMESERVER --source-port 53 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># POP server (110)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
>>--source-port $UNPRIVPORTS \
>>-d $IPADDR --destination-port 110 -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $IPADDR --source-port 110 \
>>--destination-port $UNPRIVPORTS -j ACCEPT
>># POP client (110)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>--source-port 110 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>--destination-port 110 -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># SMTP server (25)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
>>--source-port $UNPRIVPORTS \
>>-d $IPADDR --destination-port 25 -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $IPADDR --source-port 25 \
>>--destination-port $UNPRIVPORTS -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># SMTP client (25)
>># ----------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
>>--source-port 25 \
>>-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
>>-s $IPADDR --source-port $UNPRIVPORTS \
>>--destination-port 25 -j ACCEPT
>>#
>>#
>>#
>># ------------------------------------------------------------------
>># SSH server (22)
>># ---------------
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
>>--source-port $SSH_REMOTE_PORTS \
>>-d $IPADDR --destination-port 22 -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
>>-s $IPADDR --source-port 22 \
>>--destination-port $SSH_REMOTE_PORTS -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># ICMP
>># ----
>># To prevent denial of service attacks based on ICMP bombs, filter
>># incoming Redirect (5) and outgoing Destination Unreachable (3).
>># Note, however, disabling Destination Unreachable (3) is not
>># advisable, as it is used to negotiate packet fragment size.
>># For bi-directional ping.
>># Message Types: Echo_Reply (0), Echo_Request (8)
>># To prevent attacks, limit the src addresses to your ISP range.
>>#
>># For outgoing traceroute.
>># Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
>># default UDP base: 33434 to base+nhops-1
>>#
>># For incoming traceroute.
>># Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
>># To block this, deny OUTGOING 3 and 11
>># 0: echo-reply (pong)
>># 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
>># 4: source-quench
>># 5: redirect
>># 8: echo-request (ping)
>># 11: time-exceeded
>># 12: parameter-problem
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type echo-reply \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type destination-unreachable \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type source-quench \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type time-exceeded \
>>-d $IPADDR -j ACCEPT
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type parameter-problem \
>>-d $IPADDR -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type source-quench -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type echo-request -j ACCEPT
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
>>-s $IPADDR --icmp-type parameter-problem -j ACCEPT
>>#
>>#
>>#
>># --------------------------------------------------------------------------
>>--
>># Enable logging for selected denied packets
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>--destination-port $PRIVPORTS -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
>>--destination-port $UNPRIVPORTS -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type 5 -j DROP
>>iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
>>--icmp-type 13/255 -j DROP
>>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
>># --------------------------------------------------------------------------
>>--
>>;;
>>stop)
>>echo -n "Shutting Firewalling: "
>># Remove all existing rules belonging to this filter
>>iptables -F
>># Delete all user-defined chain to this filter
>>iptables -X
>># Reset the default policy of the filter to accept.
>>iptables -P INPUT ACCEPT
>>iptables -P OUTPUT ACCEPT
>>iptables -P FORWARD ACCEPT
>>;;
>>status)
>>status iptables
>>;;
>>restart|reload)
>>$0 stop
>>$0 start
>>;;
>>*)
>>echo "Usage: iptables {start|stop|status|restart|reload}"
>>exit 1
>>esac
>>echo "done"
>>exit 0
>>
>>
next prev parent reply other threads:[~2003-01-16 11:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-16 10:13 IPTABLES and SSH Steffen Bisgaard
2003-01-16 10:42 ` Raymond Leach
2003-01-16 11:07 ` Sven Schuster [this message]
2003-01-16 11:34 ` Arnt Karlsen
2003-01-16 14:02 ` IPTABLES and SSH -- READABILITY Andre Costa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E269255.30908@gmx.de \
--to=schuster.sven@gmx.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox