iptables blocking ssh communication
Posted
by
Michal Sapsa
on Server Fault
See other posts from Server Fault
or by Michal Sapsa
Published on 2014-05-26T11:24:27Z
Indexed on
2014/05/26
21:31 UTC
Read the original article
Hit count: 362
I'm using this script for iptables:
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -s 192.168.0.0/255.255.0.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.1/255.255.255.0 -j MASQUERADE
iptables -A FORWARD -s 10.8.0.1/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 16161 -j DNAT --to 192.168.0.251:16161
iptables -t nat -A PREROUTING -i eth1 -p udp --sport 16161 -j DNAT --to 192.168.0.251:16161
#openvpn
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
I end up with some iptables rules that should work but don't work - probably because of me.
# Generated by iptables-save v1.4.12 on Mon May 26 13:15:43 2014
*raw
:PREROUTING ACCEPT [1657523:1357257330]
:OUTPUT ACCEPT [36804:34834370]
-A PREROUTING -p icmp -j TRACE
-A PREROUTING -p tcp -j TRACE
-A OUTPUT -p icmp -j TRACE
-A OUTPUT -p tcp -j TRACE
COMMIT
# Completed on Mon May 26 13:15:43 2014
# Generated by iptables-save v1.4.12 on Mon May 26 13:15:43 2014
*nat
:PREROUTING ACCEPT [5033:345623]
:INPUT ACCEPT [154:34662]
:OUTPUT ACCEPT [6:1968]
:POSTROUTING ACCEPT [2:120]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 16161 -j DNAT --to-destination 192.168.0.251:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 16161 -j DNAT --to-destination 192.168.0.251:22
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
COMMIT
# Completed on Mon May 26 13:15:44 2014
# Generated by iptables-save v1.4.12 on Mon May 26 13:15:44 2014
*filter
:INPUT ACCEPT [548:69692]
:FORWARD DROP [8:384]
:OUTPUT ACCEPT [2120:1097479]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 192.168.0.0/16 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
TRACE at PREROUTEING AND OUTPUT are only for debuging this thing. When I ssh at public ip with port 16161 I don't get any message, only TimeOut so it looks like I don't get communication back to remote server. ETH0 is the world, ETH1 is LAN
Any IPTABLES Masters willing to give a hand ?
iptables -vL
Chain INPUT (policy ACCEPT 20548 packets, 3198K bytes)
pkts bytes target prot opt in out source destination
38822 7014K ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:openvpn
Chain FORWARD (policy DROP 1129 packets, 64390 bytes)
pkts bytes target prot opt in out source destination
214K 11M TCPMSS tcp -- any any anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
4565K 1090M ACCEPT all -- any any 192.168.0.0/16 anywhere
5916K 7315M ACCEPT all -- any any anywhere 192.168.0.0/16
0 0 ACCEPT all -- any any 10.8.0.0/24 anywhere
0 0 ACCEPT tcp -- any any anywhere 192.168.0.251 tcp dpt:16161
Chain OUTPUT (policy ACCEPT 59462 packets, 19M bytes)
pkts bytes target prot opt in out source destination
© Server Fault or respective owner