From mboxrd@z Thu Jan 1 00:00:00 1970 From: Martijn Lievaart Subject: Re: can't ssh outside with OUTPUT (policy ACCEPT) Date: Wed, 08 Aug 2007 19:45:33 +0200 Message-ID: <46BA013D.6020709@rtij.nl> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Maxim Veksler Cc: netfilter@lists.netfilter.org Maxim Veksler wrote: > Hello, > > Follwing a recent theread on this list, I've configued my firewall to > allow incoming traffic from specific IP's only. Now I can't ssh > outside, could some please explain why this happening ? > > The system is redhat 4. > > [root@prd-001 ~]# iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- xxx.114.183.1 anywhere > ACCEPT all -- yyy.8.145.182 anywhere > ACCEPT all -- zzz.68.137.158 anywhere > ACCEPT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > [root@prd-001 ~]# iptables-save > # Generated by iptables-save v1.2.11 on Wed Aug 8 19:26:51 2007 > *filter > :INPUT DROP [110564:24802104] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [637061:352312072] > -A INPUT -s xxx.114.183.1 -j ACCEPT > -A INPUT -s yyy.8.145.182 -j ACCEPT > -A INPUT -s zzz.68.137.158 -j ACCEPT > -A INPUT -i lo -j ACCEPT > COMMIT > # Completed on Wed Aug 8 19:26:51 2007 > > > Trying to ssh to "aaa.bbb.216.35" fails with timeout, looking at > tcpdump on the otherside shows no TCP handshack is made. > You don't allow the return packets in. Add a -m state --state ESTABLISHED,RELATED match as the first rule in your INPUT chain. HTH, M4