Need help with iptables

I have just installed Fedora 4 (with iptables-1.3.0-2.i386) and got
stuck with netfilter. I want to add a chain to allow another computer
in my local network to connect to this server (ssh or else). Here is
the content of the shell script I run to setup a new chains for that:

iptables -N allow_ssh_in
iptables -N allow_ssh_out

iptables -A allow_ssh_in -s 192.168.2.11 -m state --state NEW -p tcp -j
ACCEPT
iptables -A allow_ssh_in -s 192.168.2.11 -m state --state
ESTABLISHED,RELATED -p tcp -j ACCEPT
iptables -A allow_ssh_in -m limit -j LOG --log-prefix "allow-ssh-in: "

iptables -A allow_ssh_out -d 192.168.2.11 -m state --state NEW -p tcp
-j ACCEPT
iptables -A allow_ssh_out -d 192.168.2.11 -m state --state
ESTABLISHED,RELATED -p tcp -j ACCEPT
iptables -A allow_ssh_out -m limit -j LOG --log-prefix "allow-ssh-out:
"

iptables -A INPUT -j allow_ssh_in
iptables -A OUTPUT -j allow_ssh_out


Something is wrong though since when I try to connect from 192.168.2.11
through ssh I get the log messages with packets from 'allow-ssh-out: ',
and no connection is estabished. If I shut down iptables ($server
iptables stop), the connection gets established no problem.
Could anybody help me with this?
Thank you

Peter

(E-Mail Removed) wrote in news:1142207080.128305.146100
@v46g2000cwv.googlegroups.com:

> I have just installed Fedora 4 (with iptables-1.3.0-2.i386) and got
> stuck with netfilter. I want to add a chain to allow another computer
> in my local network to connect to this server (ssh or else). Here is
> the content of the shell script I run to setup a new chains for that:
>
> iptables -N allow_ssh_in
> iptables -N allow_ssh_out
>
> iptables -A allow_ssh_in -s 192.168.2.11 -m state --state NEW -p tcp -j
> ACCEPT
> iptables -A allow_ssh_in -s 192.168.2.11 -m state --state
> ESTABLISHED,RELATED -p tcp -j ACCEPT
> iptables -A allow_ssh_in -m limit -j LOG --log-prefix "allow-ssh-in: "
>
> iptables -A allow_ssh_out -d 192.168.2.11 -m state --state NEW -p tcp
> -j ACCEPT
> iptables -A allow_ssh_out -d 192.168.2.11 -m state --state
> ESTABLISHED,RELATED -p tcp -j ACCEPT
> iptables -A allow_ssh_out -m limit -j LOG --log-prefix "allow-ssh-out:
> "
>
> iptables -A INPUT -j allow_ssh_in
> iptables -A OUTPUT -j allow_ssh_out
>
>
> Something is wrong though since when I try to connect from 192.168.2.11
> through ssh I get the log messages with packets from 'allow-ssh-out: ',
> and no connection is estabished. If I shut down iptables ($server
> iptables stop), the connection gets established no problem.
> Could anybody help me with this?
> Thank you
>
> Peter
>
>

Is the connection tracking module loaded?

Klazmon.

> Something is wrong though since when I try to connect from 192.168.2.11
> through ssh I get the log messages with packets from 'allow-ssh-out: ',
> and no connection is estabished. If I shut down iptables ($server
> iptables stop), the connection gets established no problem.

Anything outbound that is not (SSH + 192.168.2.11) will be logged. This
means DNS lookups, for example. You might want to be a little more
restrictive on what you log (only TCP SYN's for example).

I don't see a DROP or REJECT anywhere, which means that ultimately you
are letting everything in.

Depending how hostile your environment is, and how nasty you want to be
to your users, you might consider only looking at TCP SYN's inbound to
the SSH port, and then filtering those (with a final target of DROP).

On 12 Mar 2006 15:44:40 -0800, (E-Mail Removed) wrote:

>I have just installed Fedora 4 (with iptables-1.3.0-2.i386) and got
>stuck with netfilter. I want to add a chain to allow another computer
>in my local network to connect to this server (ssh or else). Here is
>the content of the shell script I run to setup a new chains for that:
>
>iptables -N allow_ssh_in
>iptables -N allow_ssh_out
>
>iptables -A allow_ssh_in -s 192.168.2.11 -m state --state NEW -p tcp -j
>ACCEPT
>iptables -A allow_ssh_in -s 192.168.2.11 -m state --state
>ESTABLISHED,RELATED -p tcp -j ACCEPT
>iptables -A allow_ssh_in -m limit -j LOG --log-prefix "allow-ssh-in: "
>
>iptables -A allow_ssh_out -d 192.168.2.11 -m state --state NEW -p tcp
>-j ACCEPT
>iptables -A allow_ssh_out -d 192.168.2.11 -m state --state
>ESTABLISHED,RELATED -p tcp -j ACCEPT
>iptables -A allow_ssh_out -m limit -j LOG --log-prefix "allow-ssh-out:
>"
>
>iptables -A INPUT -j allow_ssh_in
>iptables -A OUTPUT -j allow_ssh_out

MSTATE="--match state --state"
....
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p all $MSTATE ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -i lo -j ACCEPT
....
iptables -A INPUT -p tcp $MSTATE NEW --dport ssh \
-s 192.168.2.11 -j ACCEPT
....
should do it

Grant.
--
Testing can show the presense of bugs, but not their absence.
-- Dijkstra

Thank you all for replies.
I've found a solution. The way it is installed and configured iptables
on Fedora 4 'hooks' a custom chain called 'RH-Firewall-1-INPUT' to the
INPUT and FORWARD. This chain does not work in my case so I have to
flush it. Basically, I could not see the input packets logged with
allow-ssh-in since my custom chain has not been invoked, all inputs
packets being consummed by the first mentioned chain. For my script to
work, I had to add four more lines:

iptables -F INPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP

(the OUTPUT chain is on ACCEPT by default).

Now I can remove the logs rules since I don't want to see packets
coming in and going out to 192.168.2.11 :-) anymore

Peter

(E-Mail Removed) wrote:
> I have just installed Fedora 4 (with iptables-1.3.0-2.i386) and got
> stuck with netfilter. I want to add a chain to allow another computer
> in my local network to connect to this server (ssh or else). Here is
> the content of the shell script I run to setup a new chains for that:
>
> iptables -N allow_ssh_in
> iptables -N allow_ssh_out
>
> iptables -A allow_ssh_in -s 192.168.2.11 -m state --state NEW -p tcp -j
> ACCEPT
> iptables -A allow_ssh_in -s 192.168.2.11 -m state --state
> ESTABLISHED,RELATED -p tcp -j ACCEPT
> iptables -A allow_ssh_in -m limit -j LOG --log-prefix "allow-ssh-in: "
>
> iptables -A allow_ssh_out -d 192.168.2.11 -m state --state NEW -p tcp
> -j ACCEPT
> iptables -A allow_ssh_out -d 192.168.2.11 -m state --state
> ESTABLISHED,RELATED -p tcp -j ACCEPT
> iptables -A allow_ssh_out -m limit -j LOG --log-prefix "allow-ssh-out:
> "
>
> iptables -A INPUT -j allow_ssh_in
> iptables -A OUTPUT -j allow_ssh_out
>
>
> Something is wrong though since when I try to connect from 192.168.2.11
> through ssh I get the log messages with packets from 'allow-ssh-out: ',
> and no connection is estabished. If I shut down iptables ($server
> iptables stop), the connection gets established no problem.
> Could anybody help me with this?
> Thank you
>
> Peter