Just another iptables question
[root@webhost ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: raw nat mangle filter [ OK ]
Applying iptables firewall rules: [ OK ]
[root@webhost ~]# lsmod | grep ip_tables
[root@webhost ~]#
Based on some Googling I've created the following script to set up my rules (I've replaced some of my top secret port numbers with [PortNumber]
#!/bin/bash
# iptables example configuration script
# Flush all current rules from iptables
iptables -F
# Basic rules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT
# HTTP/Apache
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Email
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
# MySQL
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Save settings and list rules
/sbin/service iptables save
iptables -L -v
Any help would be greatly appreciated.
LEC
5 Replies
% zgrep -i iptables /proc/config.gz
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y
What you need to do is run "iptables -L -n" to check rules are loaded.
The only reason I thought it wasn't running is because I can't get in through SSH. I changed the default port to my secret [PortNumber] and for some reason it doesn't work. My ssh_config file looks like this:
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
# Protocol 2,1
Protocol 2
# Run ssh on a non-standard port:
Port [PortNumber]
And my iptables entry as you saw above is:
# SSH
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT
When I try to connect I get:
[root@webhost ~]# ssh root@myserver -p [PortNumber]
ssh: connect to host myserver port [PortNumber]: Connection refused
Did you mean sshdconfig? "sshconfig" is for the client; sshd_config is for the server. Given that you have "SendEnv" lines in there, I'm guessing you modified the wrong ssh configuration file.
You can check with "iptables -L" for the firewall and "netstat -anp" to see if sshd is listening properly.