iptables and ssh

Hugo Rodrigues

I'm running Arch Linux and I have a running SSH daemon to access my machine when I'm out side my LAN. I can do the connection, but iptables keeps blocking SSH Daemon, so I can only connect if I turn off the firewall. I'm running SSH on port 5000.

My iptables rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j REJECT --reject-with icmp-proto-unreachable 

# SSH
-A INPUT -p tcp --dport 22 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 5000 -j ACCEPT

# VNC
-A INPUT -p tcp --dport 5001 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 --dport 5001 -j ACCEPT

# HTTP/HTTPS
-A INPUT -p tcp --dport 80 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 8080 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 443 -j REJECT --reject-with icmp-host-unreachable

-A INPUT -p tcp -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 --dport 80 -j ACCEPT

Thomas Weinbrenner

You have to reorder the iptables rules.

You can't connect to your sshd because the rules are checked in line for line. And you already told iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset = reject ALL tcp traffic. Even you later tell him to accept connections to port 5000 it doesn't matter - you already rejected those connections.

So when you write iptables rules, think about the order: first insert those things you want to allow, then reject the rest.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-03-25

Comments

0 comments

Prev: How do I recover lost/inaccessible data from my storage device?

TOP Ranking

Article

iptables and ssh

iptables and ssh

pump.io port in URL

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

How to import an asset in swift using Bundle.main.path() in a react-native native module

Inner Loop design for webscrapping

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

ggplotly no applicable method for 'plotly_build' applied to an object of class "NULL" if statements

mysql.connector.errors.InterfaceError: 2003: Can't connect to MySQL server on '127.0.0.1:3306' (111 Connection refused)

Removed zsh, but forgot to change shell back to bash, and now Ubuntu crashes (wsl)

Ambiguous use of 'init' with CFStringTransform and Swift 3

Resetting Value of <input type="time"> in Firefox

Execute ./script.sh with a crontab

Converting a class method to a property with a backing field

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

How to update azerothcore-wotlk docker container

How to set tab order for array of cluster,where cluster elements have different data types in LabVIEW?

Grails with Oracle thick OCI driver authenticate to Oracle with wrong user

How to pass data to the ng2-bs3-modal?

Making Array From Page Elements in jQuery

Retrieve Element Tag Value XML Using Bash

Laravel's ORM sync with timestamps doesn't update timestamps

Do animations stop css changes after animation completion?