From mboxrd@z Thu Jan 1 00:00:00 1970 From: Martijn Lievaart Subject: Re: can't ssh outside with OUTPUT (policy ACCEPT) Date: Wed, 08 Aug 2007 23:46:53 +0200 Message-ID: <46BA39CD.1010802@rtij.nl> References: <46BA013D.6020709@rtij.nl> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Maxim Veksler Cc: netfilter@lists.netfilter.org Maxim Veksler wrote: > On 8/8/07, Martijn Lievaart wrote: > >> Maxim Veksler wrote: >> >>> Hello, >>> >>> Follwing a recent theread on this list, I've configued my firewall to >>> allow incoming traffic from specific IP's only. Now I can't ssh >>> outside, could some please explain why this happening ? >>> >>> The system is redhat 4. >>> >>> >> You don't allow the return packets in. Add a -m state --state >> ESTABLISHED,RELATED match as the first rule in your INPUT chain. >> >> > > That was it, thank you very much. > How could I've debug it myself ? > Good question! Add LOG rules for dropped traffic. Get out wireshark (formerly ethereal) to see what goes on at the line. Read up on how to construct good rulesets and maybe even on IP (no sorry, I don't have any links). HTH, M4