On 5/21/13, Neal Murphy <neal.p.mur...@alum.wpi.edu> wrote: > You still aren't accepting *each* direction. Either accept each direction > with > explicit rules or rewrite the rules so they apply to both directions at > once. > The former is probably easier to understand months later, even though it is > > more verbose. > > Mea culpa. I missed the '--dport'; that should be changed to '--sport' in > one > of the rules. I adjusted the rule below. > > N > > On Tuesday, May 21, 2013 11:07:10 AM you wrote: >> Hello Everyone, >> >> #echo -e " - Accepting SSH Traffic" >> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 >> --dport 22 -j ACCEPT >> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j >> DROP >> >> Everything works fine with the REJECT rules commented out, but when >> included SSH access is blocked out. Not sure why, isn't the sequence >> correct (i.e., the ACCPET entries before the DROP and REJECT)? > > SSH isn't a one-way protocol. I believe you need at least one more rule. > This: > -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 \ > --dport 22 -j ACCEPT > only matches packets in one direction. You need to add: > -A TCP -p tcp -m tcp -s 192.168.2.5 -d 192.168.2.0/24 \ > --sport 22 -j ACCEPT > to accept packets in the other direction. > >
That was it!!! Thank you so much. For future searchers to similar problems: #!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0' #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e " - Accepting input lo traffic" $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e " - Accepting output lo traffic" $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e " - Defined Chains" $IPTABLES -N TCP $IPTABLES -N UDP #echo -e " - Accepting SSH Traffic" $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e " - Accepting input TCP and UDP traffic to open ports" $IPTABLES -A INPUT -i $INTIF1 -p tcp -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e " - Accepting output TCP and UDP traffic to open ports" $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e " - Dropping input TCP and UDP traffic to closed ports" $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e " - Dropping output TCP and UDP traffic to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e " - Dropping input traffic to remaining protocols sent to closed ports" $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e " - Dropping output traffic to remaining protocols sent to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Kind Regards, Nick.
