SSH stops at "using username" with IPTables in effect

Posted by Rautamiekka on Server Fault See other posts from Server Fault or by Rautamiekka
Published on 2012-04-11T14:44:25Z Indexed on 2012/04/11 23:33 UTC
Read the original article Hit count: 255

Filed under:
|
|
|
|

We used UFW but couldn't make the Source Dedicated ports open, which was weird, so we purged UFW and switched to IPTables, using Webmin to configure.

If the inbound chain is on DENY and SSH port open [judged from Webmin], PuTTY will say using username "root" and stops at that instead of asking for public key pw. Inbound chain on ACCEPT the pw is asked. This problem didn't happen with UFW.

Picture of IPTables configuration in Webmin: http://s284544448.onlinehome.us/public/PlusLINE%20Dedicated%20Server,%20Webmin,%20IPTables,%200.jpg
The address is to the previous rautamiekka.org.

iptables-save when on INPUT DENY:

# Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012
*mangle
:PREROUTING ACCEPT [1430:156843]
:INPUT ACCEPT [1430:156843]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1415:781598]
:POSTROUTING ACCEPT [1415:781598]
COMMIT
# Completed on Wed Apr 11 16:09:20 2012
# Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012
*nat
:PREROUTING ACCEPT [2:104]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 11 16:09:20 2012
# Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1247:708906]
-A INPUT -i lo -m comment --comment "Machine-within traffic - always allowed" -j ACCEPT
-A INPUT -p tcp -m comment --comment "Services - TCP" -m tcp -m multiport --dports 22,80,443,10000,20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m comment --comment "Minecraft - TCP" -m tcp --dport 25565 -j ACCEPT
-A INPUT -p udp -m comment --comment "Minecraft - UDP" -m udp --dport 25565 -j ACCEPT
-A INPUT -p tcp -m comment --comment "Source Dedicated - TCP" -m tcp --dport 27015 -j ACCEPT
-A INPUT -p udp -m comment --comment "Source Dedicated - UDP" -m udp -m multiport --dports 4380,27000:27030 -j ACCEPT
-A INPUT -p udp -m comment --comment "TS3 - UDP - main port" -m udp --dport 9987 -j ACCEPT
-A INPUT -p tcp -m comment --comment "TS3 - TCP - ServerQuery" -m tcp --dport 10011 -j ACCEPT
-A OUTPUT -o lo -m comment --comment "Machine-within traffic - always allowed" -j ACCEPT
COMMIT
# Completed on Wed Apr 11 16:09:20 2012

iptables --list when on INPUT DENY:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            /* Machine-within traffic - always allowed */
ACCEPT     tcp  --  anywhere             anywhere            /* Services - TCP */ tcp multiport dports ssh,www,https,webmin,ftp-data,ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            /* Minecraft - TCP */ tcp dpt:25565
ACCEPT     udp  --  anywhere             anywhere            /* Minecraft - UDP */ udp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere            /* Source Dedicated - TCP */ tcp dpt:27015
ACCEPT     udp  --  anywhere             anywhere            /* Source Dedicated - UDP */ udp multiport dports 4380,27000:27030
ACCEPT     udp  --  anywhere             anywhere            /* TS3 - UDP - main port */ udp dpt:9987
ACCEPT     tcp  --  anywhere             anywhere            /* TS3 - TCP - ServerQuery */ tcp dpt:10011

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            /* Machine-within traffic - always allowed */

The UFW rules prior to purging on INPUT DENY:

127.0.0.1                  ALLOW IN    127.0.0.1
3306                       DENY IN     Anywhere
20,21/tcp                  ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
989                        ALLOW IN    Anywhere
990                        ALLOW IN    Anywhere
8075/tcp                   ALLOW IN    Anywhere
9987/udp                   ALLOW IN    Anywhere
10000/tcp                  ALLOW IN    Anywhere
10011/tcp                  ALLOW IN    Anywhere
25565/tcp                  ALLOW IN    Anywhere
27000:27030/tcp            ALLOW IN    Anywhere
4380/udp                   ALLOW IN    Anywhere
27014:27050/tcp            ALLOW IN    Anywhere
30033/tcp                  ALLOW IN    Anywhere

© Server Fault or respective owner

Related posts about linux

Related posts about ssh