I'm running Arch Linux and I have a running SSH daemon to access my machine when I'm out side my LAN. I can do the connection, but iptables keeps blocking SSH Daemon, so I can only connect if I turn off the firewall. I'm running SSH on port 5000.
My iptables rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# SSH
-A INPUT -p tcp --dport 22 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 5000 -j ACCEPT
# VNC
-A INPUT -p tcp --dport 5001 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 --dport 5001 -j ACCEPT
# HTTP/HTTPS
-A INPUT -p tcp --dport 80 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 8080 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 443 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 --dport 80 -j ACCEPT
You have to reorder the iptables rules.
You can't connect to your sshd because the rules are checked in line for line. And you already told iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
= reject ALL tcp traffic. Even you later tell him to accept connections to port 5000 it doesn't matter - you already rejected those connections.
So when you write iptables rules, think about the order: first insert those things you want to allow, then reject the rest.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments