NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: can't ssh outside with OUTPUT (policy ACCEPT)

from [Martijn Lievaart] [Permanent Link][Original]
To: Maxim Veksler <hq4ever@gmail.com>
Subject: Re: can't ssh outside with OUTPUT (policy ACCEPT)
From: Martijn Lievaart <m@rtij.nl>
Date: Wed, 08 Aug 2007 19:45:33 +0200
Cc: netfilter@lists.netfilter.org
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
In-reply-to: <b400c69a0708080942j69063e1em16ef7224f78f6fea@mail.gmail.com>
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References: <b400c69a0708080942j69063e1em16ef7224f78f6fea@mail.gmail.com>
Sender: netfilter-bounces@lists.netfilter.org
User-agent: Thunderbird 1.5.0.10 (X11/20070302) 
Maxim Veksler wrote:

Hello,

Follwing a recent theread on this list, I've configued my firewall to
allow incoming traffic from specific IP's only. Now I can't ssh
outside, could some please explain why this happening ?

The system is redhat 4.

[root@prd-001 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  xxx.114.183.1        anywhere
ACCEPT     all  --  yyy.8.145.182        anywhere
ACCEPT     all  --  zzz.68.137.158       anywhere
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@prd-001 ~]# iptables-save
# Generated by iptables-save v1.2.11 on Wed Aug  8 19:26:51 2007
*filter
:INPUT DROP [110564:24802104]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [637061:352312072]
-A INPUT -s xxx.114.183.1 -j ACCEPT
-A INPUT -s yyy.8.145.182 -j ACCEPT
-A INPUT -s zzz.68.137.158 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Wed Aug  8 19:26:51 2007


Trying to ssh to "aaa.bbb.216.35" fails with timeout, looking at
tcpdump on the otherside shows no TCP handshack is made.
You don't allow the return packets in. Add a -m state --state ESTABLISHED,RELATED match as the first rule in your INPUT chain. 

HTH,
M4
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  pptp, Ammad Shah
Next by Date:  Re: NAT performance + table processing, Покотиленко Костик
Previous by Thread:  can't ssh outside with OUTPUT (policy ACCEPT), Maxim Veksler
Next by Thread:  Re: can't ssh outside with OUTPUT (policy ACCEPT), Maxim Veksler
Indexes:  [Date] [Thread] [Top] [All Lists]