NetFilter : connexion refused with my set of rules
This is a discussion on NetFilter : connexion refused with my set of rules within the Linux Security forums, part of the System Security and Security Related category; Hello, I modified /etc/ssh/sshd_config to force ssh server to listen on port 443 : .... Port 443 .... So I try ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-08-2003
|
|||
|
|||
NetFilter : connexion refused with my set of rules
Hello,
I modified /etc/ssh/sshd_config to force ssh server to listen on port 443 : .... Port 443 .... So I try the connection from my machine like this : ssh -2 -p 443 theusername@themachinename From local, it works fine, but not from internet, because i don't know very well netfilter. I trace the connection try in /var/log/messages : ..... Sep 8 13:24:48 paradise kernel: IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:60:4c:14:d8:2e:00:60:4c:14:d8:2f:08:00 SRC=145.248.192.4 DST=81.57.11.43 LEN=64 TOS=0x00 PREC=0x00 TTL=53 ID=42043 DF PROTO=TCP SPT=29333 DPT=443 WINDOW=32850 RES=0x00 SYN URGP=0 Sep 8 13:24:51 paradise kernel: IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:60:4c:14:d8:2e:00:60:4c:14:d8:2f:08:00 SRC=145.248.192.4 DST=81.57.11.43 LEN=64 TOS=0x00 PREC=0x00 TTL=53 ID=42044 DF PROTO=TCP SPT=29333 DPT=443 WINDOW=32850 RES=0x00 SYN URGP=0 ..... I want to connect on port 443 but Netfilter drops my packets. I read good documentation on : http://www.kalamazoolinux.org/presen...conntrack.html but i don't succeed to find the right set of rules : My set of rules to allow SSH connection from internet on port 443 to my machine is : /sbin/iptables -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT ideas, advices are really welcome. Sincerely, Jeannot Lelapin ================================================== ================ my rules : /etc/iptables.rules ================================================== ================ ## ================================================== ========== #!/bin/bash ## ================================================== ========= ## Load modules IPTABLES="/sbin/iptables" DEPMOD="/sbin/depmod" MODPROBE="/sbin/modprobe" # Load all required IPTables modules # Needed to initially load modules $DEPMOD -a # Load appropriate modules. $MODPROBE ip_tables # Support for connection tracking $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp # MODIF BEGIN $MODPROBE ip_conntrack_irc # Adds some $IPTABLES targets like LOG, REJECT and MASQUARADE. $MODPROBE ipt_LOG $MODPROBE ipt_REJECT $MODPROBE ipt_MASQUERADE # Support for owner matching $MODPROBE ipt_owner # MODIF END ## ================================================== ========= ## Reset all configurations $IPTABLES -F $IPTABLES -X $IPTABLES -Z ## ================================================== ========= ## Default Policy $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ## ================================================== ========= ## Some definitions: ## ================================================== ========== ## Kernel flags # /bin/echo "1" > /proc/sys/net/ipv4/ip_dynaddr /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians /bin/echo "0" > /proc/sys/net/ipv4/ip_forward ## ================================================== ========== # RULES ## LOOPBACK # Allow unlimited traffic on the loopback interface. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT ## SYN-FLOODING PROTECTION $IPTABLES -N syn-flood $IPTABLES -A INPUT -p tcp --syn -j syn-flood $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP ## FRAGMENTS $IPTABLES -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " $IPTABLES -A INPUT -f -j DROP ## Make sure NEW tcp connections are SYN packets $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP ## DNS # Allow UDP packets in for DNS client from nameservers. $IPTABLES -A INPUT -p udp -s 212.27.32.5 --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. $IPTABLES -A OUTPUT -p udp -d 212.27.32.5 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT ## WWW # Allow www outbound to 80. $IPTABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ## SSH # Allow ssh outbound. $IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # ICMP # We accept icmp in if it is "related" to other connections $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # We always allow icmp out. $IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ## LOGGING # Any udp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: " $IPTABLES -A INPUT -p udp -j DROP $IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: " $IPTABLES -A OUTPUT -p udp -j DROP # Any icmp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: " $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: " $IPTABLES -A OUTPUT -p icmp -j DROP # Any tcp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: " $IPTABLES -A INPUT -p tcp -j DROP $IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: " $IPTABLES -A OUTPUT -p tcp -j DROP # Anything else not already allowed is logged and then dropped. $IPTABLES -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: " $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: " $IPTABLES -A OUTPUT -j DROP 
|
|
09-08-2003
|
|||
|
|||
|
Re: NetFilter : connexion refused with my set of rules
In article <3F5CC680.9050907@free.fr>, jeannot.lelapin@free.fr says...
> My set of rules to allow SSH connection from internet on port 443 to my > machine is : > /sbin/iptables -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT ??? mmm, you want to have : (www) ----> (your machine, port 443) (for ssh connect) right ? so, use that on your machine : if you want to log it : iptables -A INPUT -p tcp --syn -m state --state NEW --sport 1024:65535 --dport 443 -i ppp+ -j LOG --log-prefix "SSH ACCEPT " And to accept ssh for incomming requests : -A INPUT -p tcp --syn -m state --state NEW --sport 1024:65535 --dport 443 -i ppp+ -j ACCEPT for outgoing back packets : -A OUTPUT -p tcp ! --syn -m state --state ESTABLISHED,RELATED --sport 443 --dport 1024:65535 -o ppp+ -j ACCEPT Remplace ppp+ par ton interface web ;-) A+ jeannot, Si t'as des questions... Doff
|
|
09-08-2003
|
|||
|
|||
|
Re: NetFilter : connexion refused with my set of rules
Thanks Doff,
I understand your rules. My mistake is : i always consider the '--dport' and '--port' like a connection from my machine to internet. But for a connection from internet to my machine, i have to inverse this logic of port number. I set the rules. I can test these new rules tomorrow. I send you back the result. Jeannot Doff wrote: > In article <3F5CC680.9050907@free.fr>, jeannot.lelapin@free.fr says... > >>My set of rules to allow SSH connection from internet on port 443 to my >>machine is : >>/sbin/iptables -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT >>/sbin/iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT > > > ??? mmm, you want to have : > > (www) ----> (your machine, port 443) (for ssh connect) > > right ? > > so, use that on your machine : > > if you want to log it : > iptables -A INPUT -p tcp --syn -m state --state NEW --sport 1024:65535 > --dport 443 -i ppp+ -j LOG --log-prefix "SSH ACCEPT " > > And to accept ssh for incomming requests : > > -A INPUT -p tcp --syn -m state --state NEW --sport 1024:65535 --dport > 443 -i ppp+ -j ACCEPT > > for outgoing back packets : > > -A OUTPUT -p tcp ! --syn -m state --state ESTABLISHED,RELATED --sport > 443 --dport 1024:65535 -o ppp+ -j ACCEPT > > Remplace ppp+ par ton interface web ;-) > > A+ jeannot, > Si t'as des questions... > Doff
|
|
09-09-2003
|
|||
|
|||
|
Re: NetFilter : connexion refused with my set of rules
It works fine.
Thanks a lot. Jeannot Lelapin Doff wrote: > In article <3F5CC680.9050907@free.fr>, jeannot.lelapin@free.fr says... > >>My set of rules to allow SSH connection from internet on port 443 to my >>machine is : >>/sbin/iptables -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT >>/sbin/iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT > > > ??? mmm, you want to have : > > (www) ----> (your machine, port 443) (for ssh connect) > > right ? > > so, use that on your machine : > > if you want to log it : > iptables -A INPUT -p tcp --syn -m state --state NEW --sport 1024:65535 > --dport 443 -i ppp+ -j LOG --log-prefix "SSH ACCEPT " > > And to accept ssh for incomming requests : > > -A INPUT -p tcp --syn -m state --state NEW --sport 1024:65535 --dport > 443 -i ppp+ -j ACCEPT > > for outgoing back packets : > > -A OUTPUT -p tcp ! --syn -m state --state ESTABLISHED,RELATED --sport > 443 --dport 1024:65535 -o ppp+ -j ACCEPT > > Remplace ppp+ par ton interface web ;-) > > A+ jeannot, > Si t'as des questions... > Doff
|
Linear Mode
