ssh rule

ssh rule

[Britto]

Hi 

Can you pls anyone help me correct it if i am wrong. I
have the following entries in the iptables 

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

but still i can not do ssh to linux box from the PC
which is sitting in the internal network.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: ssh rule

[Bjørn]

Britto <britto_antony@yahoo.com> writes:

> Hi 
> 
> Can you pls anyone help me correct it if i am wrong. I
> have the following entries in the iptables 
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> but still i can not do ssh to linux box from the PC
> which is sitting in the internal network.

How do you think the server's response to your login attempts will
find the way back to you when you tell it to drop all output traffic?

Hint: Check out the ESTABLISHED and RELATED states. When you
understand what they do, use them in your output rules.

-- 
Bjørn

Re: ssh rule

[Bjørn]

Britto <britto_antony@yahoo.com> writes:

> Hi Bjorn,

Stop top posting. Keep replies on-list.

> What rule should i add in the OUTPUT chain?

What about the below advice was so hard to grasp?

> > Hint: Check out the ESTABLISHED and RELATED states.
> > When you
> > understand what they do, use them in your output
> > rules.


-- 
Bjørn

Re: ssh rule

[Rob Sterenborg]

On Fri, January 13, 2006 11:28, Bjørn wrote:
> Britto <britto_antony@yahoo.com> writes:
>
>> Hi Bjorn,
>
> Stop top posting. Keep replies on-list.
>
>> What rule should i add in the OUTPUT chain?
>
> What about the below advice was so hard to grasp?

I guess the
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
part.

Or just (re)set the OUTPUT policy to ACCEPT. If you don't know how to
deal with it, it just get's in your way.

I would say : read Oskars manual :
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


Gr,
Rob

>> > Hint: Check out the ESTABLISHED and RELATED states.
>> > When you
>> > understand what they do, use them in your output
>> > rules.

Re: ssh rule

[/dev/rob0]

On Friday 2006-January-13 05:07, Rob Sterenborg wrote:
> Or just (re)set the OUTPUT policy to ACCEPT. If you don't know how to
> deal with it, it just get's in your way.

That's my rule of thumb: anyone who has to ask how to make OUTPUT work 
with a DROP policy does not know enough to make that policy useful. 
Just say "iptables -P OUTPUT ACCEPT" and focus your efforts in a more 
productive direction.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header