rawandnet
asked on
ssh keeps on freezing caused by iptables
My ssh keeps on disconnecting (freezing) after while with the following iptables setting.
the only way to fix this is to enter the following line:
iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT
192.168.2.0/24 is my ip range, but this means trust every protocol local user send, i am sure it will will be the same case for http as well. what am i missing here? and freezing always happen when using find command to search for a word.
the only way to fix this is to enter the following line:
iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT
192.168.2.0/24 is my ip range, but this means trust every protocol local user send, i am sure it will will be the same case for http as well. what am i missing here? and freezing always happen when using find command to search for a word.
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
#iptables -A INPUT -p ALL -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#TCP rules
iptables -A INPUT -p TCP -s 0/0 --dport 80 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 22 -j okay
#ICMP rules
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# FORWARD chain rules
#iptables -A FORWARD -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.0.202 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.123 -j ACCEPT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the "offending" line is commented out.
Without that line a connection could not start... if
This line in OK doesn't make sense:
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT.
As there is an earlier rule in the INPUT chain that matches before.
These lines don't make much sense as that source address shouldn't normally happen on the lo interface
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
The start of the SSH session is arranged on:
iptables -A INPUT -p TCP -s 0/0 --dport 22 -j okay
This should match ANY source.. so there should be no need for a special iptables.
What are your find commands, my guess is that the problem is there and not in iptables.
(It might happen that a special file exists when the fire wall is active and that you find hangs on that, which isn't active with iptables turned "off")
Without that line a connection could not start... if
This line in OK doesn't make sense:
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT.
As there is an earlier rule in the INPUT chain that matches before.
These lines don't make much sense as that source address shouldn't normally happen on the lo interface
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
The start of the SSH session is arranged on:
iptables -A INPUT -p TCP -s 0/0 --dport 22 -j okay
This should match ANY source.. so there should be no need for a special iptables.
What are your find commands, my guess is that the problem is there and not in iptables.
(It might happen that a special file exists when the fire wall is active and that you find hangs on that, which isn't active with iptables turned "off")
ASKER
if i remove these two lines, i want be able to ping local interface from the server itself
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
(lo = from 127.0.0.1 , to 127.0.0.1).
iptables -A INPUT -p ALL -i lo -s 10.1.0.202 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.123 -j ACCEPT
You can allways ping the local interface and it doesn't need those rules.
(And thos IP addresses are NEVER bound to lo until you make them an alias there (and remove them elsewhere) which would render your server unreachable for others.
From your question:
" and freezing always happen when using find command to search for a word."
What are the command(s) you use for this....
(And thos IP addresses are NEVER bound to lo until you make them an alias there (and remove them elsewhere) which would render your server unreachable for others.
From your question:
" and freezing always happen when using find command to search for a word."
What are the command(s) you use for this....
ASKER
this doesn't happen anymore, it might have been something within the network.
but still if i remove those two lines, i wan't be able to ping local ip addresses including 127.0.0.1.
but still if i remove those two lines, i wan't be able to ping local ip addresses including 127.0.0.1.
well I don't know your complete setup so by all means be free to insert them but it should not be needed...
ASKER
thanks guys
ASKER