can't ssh outside with OUTPUT (policy ACCEPT)

can't ssh outside with OUTPUT (policy ACCEPT)

[Maxim Veksler]

Hello,

Follwing a recent theread on this list, I've configued my firewall to
allow incoming traffic from specific IP's only. Now I can't ssh
outside, could some please explain why this happening ?

The system is redhat 4.

[root@prd-001 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  xxx.114.183.1        anywhere
ACCEPT     all  --  yyy.8.145.182        anywhere
ACCEPT     all  --  zzz.68.137.158       anywhere
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@prd-001 ~]# iptables-save
# Generated by iptables-save v1.2.11 on Wed Aug  8 19:26:51 2007
*filter
:INPUT DROP [110564:24802104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [637061:352312072]
-A INPUT -s xxx.114.183.1 -j ACCEPT
-A INPUT -s yyy.8.145.182 -j ACCEPT
-A INPUT -s zzz.68.137.158 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Wed Aug  8 19:26:51 2007


Trying to ssh to "aaa.bbb.216.35" fails with timeout, looking at
tcpdump on the otherside shows no TCP handshack is made.

Thank you for your help,
Maxim.

-- 
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

Re: can't ssh outside with OUTPUT (policy ACCEPT)

[Martijn Lievaart]

Maxim Veksler wrote:
> Hello,
>
> Follwing a recent theread on this list, I've configued my firewall to
> allow incoming traffic from specific IP's only. Now I can't ssh
> outside, could some please explain why this happening ?
>
> The system is redhat 4.
>
> [root@prd-001 ~]# iptables -L
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  xxx.114.183.1        anywhere
> ACCEPT     all  --  yyy.8.145.182        anywhere
> ACCEPT     all  --  zzz.68.137.158       anywhere
> ACCEPT     all  --  anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> [root@prd-001 ~]# iptables-save
> # Generated by iptables-save v1.2.11 on Wed Aug  8 19:26:51 2007
> *filter
> :INPUT DROP [110564:24802104]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [637061:352312072]
> -A INPUT -s xxx.114.183.1 -j ACCEPT
> -A INPUT -s yyy.8.145.182 -j ACCEPT
> -A INPUT -s zzz.68.137.158 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> COMMIT
> # Completed on Wed Aug  8 19:26:51 2007
>
>
> Trying to ssh to "aaa.bbb.216.35" fails with timeout, looking at
> tcpdump on the otherside shows no TCP handshack is made.
>   

You don't allow the return packets in. Add a -m state --state 
ESTABLISHED,RELATED match as the first rule in your INPUT chain.

HTH,
M4

Re: can't ssh outside with OUTPUT (policy ACCEPT)

[Maxim Veksler]

On 8/8/07, Martijn Lievaart <m@rtij.nl> wrote:
> Maxim Veksler wrote:
> > Hello,
> >
> > Follwing a recent theread on this list, I've configued my firewall to
> > allow incoming traffic from specific IP's only. Now I can't ssh
> > outside, could some please explain why this happening ?
> >
> > The system is redhat 4.
> >
>
> You don't allow the return packets in. Add a -m state --state
> ESTABLISHED,RELATED match as the first rule in your INPUT chain.
>

That was it, thank you very much.
How could I've debug it myself ?

> HTH,
> M4
>
>


-- 
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

Re: can't ssh outside with OUTPUT (policy ACCEPT)

[Martijn Lievaart]

Maxim Veksler wrote:
> On 8/8/07, Martijn Lievaart <m@rtij.nl> wrote:
>   
>> Maxim Veksler wrote:
>>     
>>> Hello,
>>>
>>> Follwing a recent theread on this list, I've configued my firewall to
>>> allow incoming traffic from specific IP's only. Now I can't ssh
>>> outside, could some please explain why this happening ?
>>>
>>> The system is redhat 4.
>>>
>>>       
>> You don't allow the return packets in. Add a -m state --state
>> ESTABLISHED,RELATED match as the first rule in your INPUT chain.
>>
>>     
>
> That was it, thank you very much.
> How could I've debug it myself ?
>   

Good question!

Add LOG rules for dropped traffic. Get out wireshark (formerly ethereal) 
to see what goes on at the line. Read up on how to construct good 
rulesets and maybe even on IP (no sorry, I don't have any links).

HTH,
M4

Re: can't ssh outside with OUTPUT (policy ACCEPT)

[Maxim Veksler]

On 8/9/07, Martijn Lievaart <m@rtij.nl> wrote:
> Maxim Veksler wrote:
> > On 8/8/07, Martijn Lievaart <m@rtij.nl> wrote:
> >
> >> Maxim Veksler wrote:
> >>
> >>> Hello,
> >>>
> >>> Follwing a recent theread on this list, I've configued my firewall to
> >>> allow incoming traffic from specific IP's only. Now I can't ssh
> >>> outside, could some please explain why this happening ?
> >>>
> >>> The system is redhat 4.
> >>>
> >>>
> >> You don't allow the return packets in. Add a -m state --state
> >> ESTABLISHED,RELATED match as the first rule in your INPUT chain.
> >>
> >>
> >
> > That was it, thank you very much.
> > How could I've debug it myself ?
> >
>
> Good question!
>

Thank you.

> Add LOG rules for dropped traffic.

I would appreciate an example for this tip.

> Get out wireshark (formerly ethereal)

Got it, tcpdump -w /tmp/iptables_lock.cap, it seems that iptables hook
drops the packet before libpcap has a chance on seeing it.

> to see what goes on at the line. Read up on how to construct good
> rulesets

Would very much appreciate good links here.

and maybe even on IP (no sorry, I don't have any links).
>

rfc791, that's for IP. Please correct me if I'm wrong but you meant
read on TCP because IP is stateless and has no verification what so
ever buildin, the only tracking IP does is for fragmentation and
reconstruction of packets. I don't think this was the case here and
further more I don't see how --state ESTABLISHED,RELATED could have
any effect on it. Again, please correct me if I'm wrong.

> HTH,

It does !

> M4
>
>

Thank you.

-- 
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

Re: can't ssh outside with OUTPUT (policy ACCEPT)

[Martijn Lievaart]

Maxim Veksler wrote:
>   
>> Add LOG rules for dropped traffic.
>>     
>
> I would appreciate an example for this tip.
>   

At the end of any of the {INPUT,OUTPUT,FORWARD} chains where policy is 
DROP, add the rule

-j LOG --log-prefix "(default): "
-j DROP

(that last one is optional, it duplicates the policy. But it is 
considered good style, plus you have counters on this rule, another 
debugging aid).

Another good way to debug such things is to add specific log rules at 
the top of all chains:

-A INPUT -s aaa.bbb.216.35 -j LOG --log-prefix "debug INPUT: "
-A INPUT -d aaa.bbb.216.35 -j LOG --log-prefix "debug INPUT: "

>   
>> Get out wireshark (formerly ethereal)
>>     
>
> Got it, tcpdump -w /tmp/iptables_lock.cap, it seems that iptables hook
> drops the packet before libpcap has a chance on seeing it.
>   

No, tcpdump/wireshark/ethereal sees the packets before netfilter on 
input and after netfilter on output. I think you did something else 
wrong here.

I personally never run a gui on my firewalls, but do have the X 
libraries installed. That way I can ssh -X into the box and run 
wireshark on it.

>   
>> to see what goes on at the line. Read up on how to construct good
>> rulesets
>>     
>
> Would very much appreciate good links here.
>   

I don't know any, but the documentation section of www.netfilter.org is 
a good start. I still want to write a document/site on writing good 
iptables rules, but don't have the time. Maybe I should make the time.

Anyway Rusty Russels unreliable packet filtering guide is a good read 
for the basics, especially on the -m state.

 >> and maybe even on IP (no sorry, I don't have any links).

>
> rfc791, that's for IP. Please correct me if I'm wrong but you meant
> read on TCP because IP is stateless and has no verification what so
> ever buildin, the only tracking IP does is for fragmentation and
> reconstruction of packets. I don't think this was the case here and
> further more I don't see how --state ESTABLISHED,RELATED could have
> any effect on it. Again, please correct me if I'm wrong.
>   

No, you're quite right.

HTH,
M4