ssh access through iptables

Hi,
I have iptables running on redhat Linux. sshd is running on this
machine. I can access this machine through ssh from within my lan but
from outside internet I am not able to access to any machine within the
LAN (internal IP addresses) the connection times out from internet to
this firewall machine. If I need to access a particular machine through
Ssh through iptables what rules need to be built?
Many thanks in advance
-Karmath



gaur_ms@yahoo.co.in

(E-Mail Removed) wrote:
> Hi,
> I have iptables running on redhat Linux. sshd is running on this
> machine. I can access this machine through ssh from within my lan but
> from outside internet I am not able to access to any machine within the
> LAN (internal IP addresses) the connection times out from internet to
> this firewall machine. If I need to access a particular machine through
> Ssh through iptables what rules need to be built?
> Many thanks in advance
> -Karmath
>

Hi,

take this.

BR
Hans-Juergen Lange

!/bin/bash
INET="ppp0"
LAN="eth1"
LO="lo"

LAN_IP_RANGE="192.168.10.0/24"
LAN_IP="192.168.10.1"
LAN_BROADCAST="192.168.10.255"
IPTABLES="/sbin/iptables"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "Setup standard policies"

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


$IPTABLES -F INPUT DROP
$IPTABLES -F OUTPUT DROP
$IPTABLES -F FORWARD DROP

echo "Setup user defined chain allowed"
$IPTABLES -N allowed
$IPTABLES -F allowed

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

echo "Allow gnutella"
$IPTABLES -A FORWARD -p TCP -i $INET --dport 8347 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET --dport 8347 -j DNAT \
--to-destination 192.168.10.3

echo "Forward ssh port"
$IPTABLES -A FORWARD -p udp -i $INET --dport 22 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -i $INET --dport 22 -j DNAT \
--to-destination 192.168.10.3

$IPTABLES -A FORWARD -p TCP -i $INET --dport 22 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET --dport 22 -j DNAT \
--to-destination 192.168.10.3

echo "block incoming connections"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

echo "Accept outgoing"
$IPTABLES -A INPUT -p ALL -i $LAN -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN -d $LAN_BROADCAST -j ACCEPT

echo "Accept established and related"
$IPTABLES -A INPUT -p ALL -i $INET -m state --state ESTABLISHED,RELATED\
-j ACCEPT

echo "Drop sync packets"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

echo "Windows block"
$IPTABLES -A FORWARD -p udp -i $LAN --dport 137:139 -j DROP
$IPTABLES -A FORWARD -p udp -i $LAN --dport 135 -j DROP
$IPTABLES -A FORWARD -p udp -i $LAN --dport 500 -j DROP
$IPTABLES -A FORWARD -p tcp -i $LAN --dport 445 -j DROP

echo "Forward all others"
$IPTABLES -A FORWARD -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Output rules"
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET -j ACCEPT

echo "Post routing"
$IPTABLES -t nat -A POSTROUTING -o $INET -j MASQUERADE