Can't SSH after blocking UDP traffic / Firewall Question
I'm configuring my firewall (through iptables). When I block all UDP traffic (other than DNS), I can no longer open a SSH connection to my server (I'm connecting through PuTTy). Does anyone know why this is, and what I can keep open to fix this?
What exactly is the error you receive when trying to ssh to your server? What are the other rules you have in place in iptables, and specifically, what is the rule you are using to block UDP?
ASKER
Here is my iptables configuration, I'm using webmin to configure this file. This problem may also have to do with my fail2ban configuration. When I first setup the firewall, fail2ban was already in the firewall, I've pretty much taken it out because it didn't look like it was doing much.
I'm getting "Connection Refused", when I put these changes in place.
# Generated by iptables-save v1.2.11 on Mon Jul 16 20:28:19 2007
*mangle
:PREROUTING ACCEPT [2696780:446829969]
:INPUT ACCEPT [2696776:446829809]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2808381:854054509]
:POSTROUTING ACCEPT [2808381:854054509]
COMMIT
# Completed on Mon Jul 16 20:28:19 2007
# Generated by iptables-save v1.2.11 on Mon Jul 16 20:28:19 2007
*nat
:PREROUTING ACCEPT [2316660:117119074]
:POSTROUTING ACCEPT [164312:11907459]
:OUTPUT ACCEPT [164312:11907459]
COMMIT
# Completed on Mon Jul 16 20:28:19 2007
# Generated by iptables-save v1.2.11 on Mon Jul 16 20:28:19 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:fail2ban-SSH - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 21,22,25,53,80,110,143,443
-A fail2ban-SSH -j RETURN
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 22,53
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp -j DROP
-A INPUT -p udp -m udp -j DROP
COMMIT
# Completed on Mon Jul 16 20:28:19 2007
I'm getting "Connection Refused", when I put these changes in place.
# Generated by iptables-save v1.2.11 on Mon Jul 16 20:28:19 2007
*mangle
:PREROUTING ACCEPT [2696780:446829969]
:INPUT ACCEPT [2696776:446829809]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2808381:854054509]
:POSTROUTING ACCEPT [2808381:854054509]
COMMIT
# Completed on Mon Jul 16 20:28:19 2007
# Generated by iptables-save v1.2.11 on Mon Jul 16 20:28:19 2007
*nat
:PREROUTING ACCEPT [2316660:117119074]
:POSTROUTING ACCEPT [164312:11907459]
:OUTPUT ACCEPT [164312:11907459]
COMMIT
# Completed on Mon Jul 16 20:28:19 2007
# Generated by iptables-save v1.2.11 on Mon Jul 16 20:28:19 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:fail2ban-SSH - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 21,22,25,53,80,110,143,443
-A fail2ban-SSH -j RETURN
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 22,53
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp -j DROP
-A INPUT -p udp -m udp -j DROP
COMMIT
# Completed on Mon Jul 16 20:28:19 2007
Is this the machine that you are trying to SSH *to* or *from*?
ASKER
Firewall is running on the machine I'm trying to SSH to
Ok, there seems to be nothing really wrong with the setup you have posted. Do you have physical access to the server that you are trying to configure or is it remote? If you have physical access, it would probably be worth your time to sit at the console after you make your change which locks out ssh and run the following as root:
iptables --line-numbers -L -v -n
This will dump your current, in memory, config to the terminal. You may want to pipe this to less as it will probably go over 24 lines. Make sure that the config that gets dumped to the screen looks like what is in the file. I'm noticing that the file was last saved on the 16th and that you might be ending up with something different after your webmin configuration. You have to remember that what is in the save file does not reflect what the current running config is. The file is only changes when you run iptables-save /path/to/file. What you have posted should allow you to ssh to the machine so you probably want to take it to one more step of troubleshooting.
iptables --line-numbers -L -v -n
This will dump your current, in memory, config to the terminal. You may want to pipe this to less as it will probably go over 24 lines. Make sure that the config that gets dumped to the screen looks like what is in the file. I'm noticing that the file was last saved on the 16th and that you might be ending up with something different after your webmin configuration. You have to remember that what is in the save file does not reflect what the current running config is. The file is only changes when you run iptables-save /path/to/file. What you have posted should allow you to ssh to the machine so you probably want to take it to one more step of troubleshooting.
Hi,
You can fix this by issuing:
iptables -I INPUT 1 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 22 -j ACCEPT
You can fix this by issuing:
iptables -I INPUT 1 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 22 -j ACCEPT
ASKER
Here is the output of,
iptables --line-numbers -L -v -n
(below)
The interesting thing is I can apply the iptables, but if I have an open SSH connection, it'll still work fine. This problem is ONLY when I try to open a SSH connection after I apply the configuration, existing sessions won't be dropped.
xDamox, As you can see from the below configuration, I'm already accepting port 22 for both TCP and UDP
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
2 3 224 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 26 2191 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 21,22,25,53,80,110,143,443
4 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp multiport dports 22,53
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
7 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39 packets, 31874 bytes)
num pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
num pkts bytes target prot opt in out source destination
1 3 224 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
iptables --line-numbers -L -v -n
(below)
The interesting thing is I can apply the iptables, but if I have an open SSH connection, it'll still work fine. This problem is ONLY when I try to open a SSH connection after I apply the configuration, existing sessions won't be dropped.
xDamox, As you can see from the below configuration, I'm already accepting port 22 for both TCP and UDP
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
2 3 224 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 26 2191 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 21,22,25,53,80,110,143,443
4 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp multiport dports 22,53
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
7 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39 packets, 31874 bytes)
num pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
num pkts bytes target prot opt in out source destination
1 3 224 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Yea,
Try placing the SSH rule at the very beginning of the INPUT table.
Try placing the SSH rule at the very beginning of the INPUT table.
ASKER
I'm not dropping packets until the very end, so I'm not sure how that will help here.
Hi,
Its just to help with debugging and eliminate any other possible errors.
Its just to help with debugging and eliminate any other possible errors.
ASKER
Right, and on my above configuration, everything works as expected until I add a rule to drop all UDP packets at the very end. So something with UDP, not having to do with port 22 (which is already allowed above), is blocking PuTTY from connecting to my linux server. By the way, I'm using public key authentication when I try to log on.
I'm going to try specifying a port range, and see if I can't figure out exactly what port I'm blocking is causing the problem.
I'm going to try specifying a port range, and see if I can't figure out exactly what port I'm blocking is causing the problem.
ASKER
This problem is getting much more weirder.
I started opening and closing ranges of ports on my firewall, hoping to track down exactly what port I am blocking is causing the problem.
The port ranges I came up with were somewhere between 42000 - 42200. I was trying to track it down further, but whatever this is, it's changing ports on me every couple of minutes.
Why in the world would OpenSSH need an open UDP port in this range to be able to be successfully connected to? And why would it need to change?
I started opening and closing ranges of ports on my firewall, hoping to track down exactly what port I am blocking is causing the problem.
The port ranges I came up with were somewhere between 42000 - 42200. I was trying to track it down further, but whatever this is, it's changing ports on me every couple of minutes.
Why in the world would OpenSSH need an open UDP port in this range to be able to be successfully connected to? And why would it need to change?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I've learned a bit about firewalls today, and it makes a lot of sense now.
crustymonkey, you were right about the DNS issue. My ssh server was sending a DNS query, and blocking the response. In fact, my firewall was setup in such a way it would block ANY response from an outside server that it initiated, so even something as simple as the web wasn't working from my server.
So what I've ended up doing is adding a rule to allow any packets, for Established or Related connections. And everything appears to be working now!
Let me know if I've done something wrong.
crustymonkey, you were right about the DNS issue. My ssh server was sending a DNS query, and blocking the response. In fact, my firewall was setup in such a way it would block ANY response from an outside server that it initiated, so even something as simple as the web wasn't working from my server.
So what I've ended up doing is adding a rule to allow any packets, for Established or Related connections. And everything appears to be working now!
Let me know if I've done something wrong.
That sounds correct. I haven't worked with iptables in a while so I'm a little rusty (I use pf on FreeBSD nowadays). I probably should have noticed that though ;-) Anyhow, hope everything works right for you.
ASKER
Thanks again for your help!