Didar, Well, I don't have any rule for the OUTPUT chain and its Policy is ACCEPT by default. There is nothing in NAT as well. However, I am quite sure that the problem in not with my firewall rules, as when I completely turn it off (/etc/init.d/iptables stop), the ssh client connecting from the internet still behaves the same. It appears that it is able to establish the connection, by is the disconnected by the server. Either it's the ssh security configuration, or some other Debian configuration that does this. Please advise as I am stuck with this issue for the last two days.
Regards, Nabil. -----Original Message----- From: Didar Hussain [mailto:[EMAIL PROTECTED] Sent: Monday, August 02, 2004 7:34 PM To: [EMAIL PROTECTED] Subject: Re: iptables rule for sshd On Mon, Aug 02, 2004 at 09:10:39AM +0300, [EMAIL PROTECTED] wrote: > Dah.. :-) thanks for the help. You guys are life savers. > > So now I am able to ssh from the local machine. Thanks to all you folks. You are welcome :) > However, when I try to connect from the Internet using ssh, it just > disconnects me. Why is that? When I try to connect, I even see that the > packet count for ssh rule in the INPUT chain gets an increase of four > packets. Are there other thing I need to look into like host.allow and > stuff? I can ping the machine from the internet because I have a > firewall rule for icmp-type echo-reply. Any ideas why it doesn't like > ssh connections, even after having the ssh ACCEPT rule. I hope you have a corresponding entry for "ssh" in your OUTPUT chain as well. You could send your configuration by doing: iptables -L -nv > Filter.txt iptables -L -nv -t nat > Nat.txt And then just attach the Filter.txt and Nat.txt files. > Also, since I am new, I am having lots of problems in guessing what > packets are coming in and what rules need to be added. Is there a GOOD > way to analyze the packets traversing through my interfaces? I know that > I can add the -j LOG rule, but that is too hard to read, or perhaps is > there a better way to analyze these logs? Well I use tethereal or tcpdump. Also you might try the "evil" ettercap. Take care, Didar DISCLAIMER: Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz. This e-mail & its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail & its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
