HPE Community
Operating System - Linux
1832234 Members
2606 Online
110041 Solutions
New Discussion

iptables question

 
SOLVED
Go to solution
Jeffrey S. Sims
Trusted Contributor

‎07-10-2002 10:26 AM

‎07-10-2002 10:26 AM

iptables question

I have RedHat 7.2 installed with 2.4.18 Kernel build with iptables support. I am trying to setup a firewall using iptables (getting away from ipchains) but seem to have a few problems.

It appears that the default policy of DROP overrules any exceptions I put in. For example, if I set the default policy for both input and output to drop then enter the following iptables commands.

iptables -A INPUT -i eth0 -p tcp -d 192.168.1.253 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.253 --sport 22 -j ACCEPT

I cannot ssh to the server (192.168.1.253)after entering these rules. sshd is running and the server is listening on port 22. Any ideas?

--Anxiously awaits some light shed on this for me
0 Kudos
Reply
6 REPLIES 6
Stuart Browne
Honored Contributor

‎07-10-2002 02:47 PM

‎07-10-2002 02:47 PM

Re: iptables question

Dumb question that needs to be asked. What's the IP address of the interface 'eth0' ?

The other thing which I've found is that IPTables usually likes the '-j' flag earlier in the command line. It does have a different effect on some rules, but if you can list the chains back, and they all look ok (iptables -nvL), then that won't be it.
One long-haired git at your service...
0 Kudos
Reply
Jeffrey S. Sims
Trusted Contributor

‎07-10-2002 03:39 PM

‎07-10-2002 03:39 PM

Re: iptables question

the IP is 192.168.1.253

The iptables --list works fine and lists both rules. I am basically wanting to allow any incoming ssh request (to this machine)

I am attempting to ssh from another machine on the 192.168.1.xx network.

0 Kudos
Reply
Mark Fenton
Esteemed Contributor

‎07-10-2002 05:02 PM

‎07-10-2002 05:02 PM

Re: iptables question

Jeffery,

Some thoughts:

1) I have been using shorewall as the basis of my firewall (www.shorewall.org or search for it on freshmeat.net) and have found it to be a superior script, and reasonably easy to configure.

2) You verified from the /var/log/messages that the packets are indeed being dropped by the policy rule.

3) Even if you don't use shorewall, the author operates an email list that discusses cool hacks with iptables. Could be of interest.

hth
Mark
0 Kudos
Reply
Trever Furnish
Regular Advisor

‎07-25-2002 07:38 AM

‎07-25-2002 07:38 AM

Solution

Re: iptables question

Have you tried logging the packets affected by each rule? Basicly either log everything or precede each rule with an identical rule except that the target is LOG instead of ACCEPT.

For example:
/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j LOG
/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT

It gets logged into the kern.* category, if I remember correctly (big if). Probably need to add something like:
kern.* /var/log/kernel

...to /etc/syslog.conf and restart syslog if you want to save the log messages (maybe not, don't take my word on that - test for yourself).

If you do that, either don't leave it there permanently or go ahead and add something to logrotate's config to make sure you don't end up with /var/log/kernel growing indefinitely. Something such as a file in /etc/lograte.d called kernel with contents such as:
/var/log/kernel {
compress
missingok
notifempty
daily
rotate 14
sharedscripts
prerotate
true
endscript
postrotate
true
endscript
}

...which would keep at least 14 days of log files but no more than 14 files.

Once you have the traffic logged you should be able to see source/dest info to make sure it's what you're expecting...

Also, perhaps it's enough to specify your source networks instead of your source interface? Depends on your situation.
Hockey PUX?
Reply
Stuart Browne
Honored Contributor

‎07-25-2002 03:47 PM

‎07-25-2002 03:47 PM

Re: iptables question

iptables -I INPUT -j ACCEPT -i eth0 -p tcp -d 192.168.1.253 --dport 22
iptables -I OUTPUT -j ACCEPT -m state --state RELAETD,ACCEPTED

Try those two, along with some logging (as mentioned in the previous post), and see where you get.
One long-haired git at your service...
0 Kudos
Reply
Jeffrey S. Sims
Trusted Contributor

‎07-26-2002 09:50 AM

‎07-26-2002 09:50 AM

Re: iptables question

Trevor, thanks for the suggestions. Those would have worked but I had already found an answer at http://www.antionline.com/showthread.php?s=&threadid=230338

In case you haven't been there it is a great tutorial oh IPtables walking you through writing your rules.

Thought I would pass it along
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.