iptables blocking ssh communication

Posted by Michal Sapsa on Server Fault See other posts from Server Fault or by Michal Sapsa
Published on 2014-05-26T11:24:27Z Indexed on 2014/05/26 21:31 UTC
Read the original article Hit count: 362

Filed under:
|
|

I'm using this script for iptables:

#!/bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter

iptables -t filter -P FORWARD DROP

iptables -t filter -A FORWARD -s 192.168.0.0/255.255.0.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.1/255.255.255.0  -j MASQUERADE
iptables -A FORWARD -s 10.8.0.1/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -t nat -A PREROUTING -i eth1 -p udp --dport 16161 -j DNAT --to 192.168.0.251:16161
iptables -t nat -A PREROUTING -i eth1 -p udp --sport 16161 -j DNAT --to 192.168.0.251:16161

#openvpn
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

I end up with some iptables rules that should work but don't work - probably because of me.

  # Generated by iptables-save v1.4.12 on Mon May 26 13:15:43 2014
*raw
:PREROUTING ACCEPT [1657523:1357257330]
:OUTPUT ACCEPT [36804:34834370]
-A PREROUTING -p icmp -j TRACE
-A PREROUTING -p tcp -j TRACE
-A OUTPUT -p icmp -j TRACE
-A OUTPUT -p tcp -j TRACE
COMMIT
# Completed on Mon May 26 13:15:43 2014
# Generated by iptables-save v1.4.12 on Mon May 26 13:15:43 2014
*nat
:PREROUTING ACCEPT [5033:345623]
:INPUT ACCEPT [154:34662]
:OUTPUT ACCEPT [6:1968]
:POSTROUTING ACCEPT [2:120]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 16161 -j DNAT --to-destination 192.168.0.251:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 16161 -j DNAT --to-destination 192.168.0.251:22
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
COMMIT
# Completed on Mon May 26 13:15:44 2014
# Generated by iptables-save v1.4.12 on Mon May 26 13:15:44 2014
*filter
:INPUT ACCEPT [548:69692]
:FORWARD DROP [8:384]
:OUTPUT ACCEPT [2120:1097479]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 192.168.0.0/16 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT

TRACE at PREROUTEING AND OUTPUT are only for debuging this thing. When I ssh at public ip with port 16161 I don't get any message, only TimeOut so it looks like I don't get communication back to remote server. ETH0 is the world, ETH1 is LAN

Any IPTABLES Masters willing to give a hand ?

 iptables -vL
Chain INPUT (policy ACCEPT 20548 packets, 3198K bytes)
 pkts bytes target     prot opt in     out     source               destination
38822 7014K ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:openvpn
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:openvpn

Chain FORWARD (policy DROP 1129 packets, 64390 bytes)
 pkts bytes target     prot opt in     out     source               destination
 214K   11M TCPMSS     tcp  --  any    any     anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
4565K 1090M ACCEPT     all  --  any    any     192.168.0.0/16       anywhere
5916K 7315M ACCEPT     all  --  any    any     anywhere             192.168.0.0/16
    0     0 ACCEPT     all  --  any    any     10.8.0.0/24          anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.0.251        tcp dpt:16161

Chain OUTPUT (policy ACCEPT 59462 packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination

© Server Fault or respective owner

Related posts about ssh

Related posts about iptables