SSH stops at "using username" with IPTables in effect
Posted
by
Rautamiekka
on Server Fault
See other posts from Server Fault
or by Rautamiekka
Published on 2012-04-11T14:44:25Z
Indexed on
2012/04/11
23:33 UTC
Read the original article
Hit count: 259
We used UFW but couldn't make the Source Dedicated ports open, which was weird, so we purged UFW and switched to IPTables, using Webmin to configure.
If the inbound chain is on DENY and SSH port open [judged from Webmin], PuTTY will say using username "root"
and stops at that instead of asking for public key pw. Inbound chain on ACCEPT the pw is asked. This problem didn't happen with UFW.
Picture of IPTables configuration in Webmin: http://s284544448.onlinehome.us/public/PlusLINE%20Dedicated%20Server,%20Webmin,%20IPTables,%200.jpg
The address is to the previous rautamiekka.org.
iptables-save
when on INPUT DENY:
# Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012
*mangle
:PREROUTING ACCEPT [1430:156843]
:INPUT ACCEPT [1430:156843]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1415:781598]
:POSTROUTING ACCEPT [1415:781598]
COMMIT
# Completed on Wed Apr 11 16:09:20 2012
# Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012
*nat
:PREROUTING ACCEPT [2:104]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 11 16:09:20 2012
# Generated by iptables-save v1.4.8 on Wed Apr 11 16:09:20 2012
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1247:708906]
-A INPUT -i lo -m comment --comment "Machine-within traffic - always allowed" -j ACCEPT
-A INPUT -p tcp -m comment --comment "Services - TCP" -m tcp -m multiport --dports 22,80,443,10000,20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m comment --comment "Minecraft - TCP" -m tcp --dport 25565 -j ACCEPT
-A INPUT -p udp -m comment --comment "Minecraft - UDP" -m udp --dport 25565 -j ACCEPT
-A INPUT -p tcp -m comment --comment "Source Dedicated - TCP" -m tcp --dport 27015 -j ACCEPT
-A INPUT -p udp -m comment --comment "Source Dedicated - UDP" -m udp -m multiport --dports 4380,27000:27030 -j ACCEPT
-A INPUT -p udp -m comment --comment "TS3 - UDP - main port" -m udp --dport 9987 -j ACCEPT
-A INPUT -p tcp -m comment --comment "TS3 - TCP - ServerQuery" -m tcp --dport 10011 -j ACCEPT
-A OUTPUT -o lo -m comment --comment "Machine-within traffic - always allowed" -j ACCEPT
COMMIT
# Completed on Wed Apr 11 16:09:20 2012
iptables --list
when on INPUT DENY:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* Machine-within traffic - always allowed */
ACCEPT tcp -- anywhere anywhere /* Services - TCP */ tcp multiport dports ssh,www,https,webmin,ftp-data,ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere /* Minecraft - TCP */ tcp dpt:25565
ACCEPT udp -- anywhere anywhere /* Minecraft - UDP */ udp dpt:25565
ACCEPT tcp -- anywhere anywhere /* Source Dedicated - TCP */ tcp dpt:27015
ACCEPT udp -- anywhere anywhere /* Source Dedicated - UDP */ udp multiport dports 4380,27000:27030
ACCEPT udp -- anywhere anywhere /* TS3 - UDP - main port */ udp dpt:9987
ACCEPT tcp -- anywhere anywhere /* TS3 - TCP - ServerQuery */ tcp dpt:10011
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* Machine-within traffic - always allowed */
The UFW rules prior to purging on INPUT DENY:
127.0.0.1 ALLOW IN 127.0.0.1
3306 DENY IN Anywhere
20,21/tcp ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
989 ALLOW IN Anywhere
990 ALLOW IN Anywhere
8075/tcp ALLOW IN Anywhere
9987/udp ALLOW IN Anywhere
10000/tcp ALLOW IN Anywhere
10011/tcp ALLOW IN Anywhere
25565/tcp ALLOW IN Anywhere
27000:27030/tcp ALLOW IN Anywhere
4380/udp ALLOW IN Anywhere
27014:27050/tcp ALLOW IN Anywhere
30033/tcp ALLOW IN Anywhere
© Server Fault or respective owner