MaglinFurniture
asked on
IPTABLES - Restrict ssh access
I'm trying to restrict logging on to a Linux system via ssh using IPTABLES.
On the following CentOS site:
http://wiki.centos.org/HowTos/Network/SecuringSSH
I read that using the command below should do it:
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
that is, the above rule says allow SSH logins from IP address x.x.x.x (and presumably, from no other)
However, I am able to log in from a different IP no problem.
Here are my iptables settings (from /etc/sysconfig/iptables
__________________________ __________ __________ __________ __________ __________ __
# Generated by iptables-save v1.4.7 on Wed Oct 23 11:22:21 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31:2596]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
[numerous rules which drop packes from specific IPs are removed - no poiint in listing these here]
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct 23 11:22:21 2013
__________________________ __________ __________ __________ __________ __________ _________
If I do a listing (iptables -L) , I see the following:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- vps-1001071-386.stwadmin.n et anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ETC
So this line from /etc/sysconfig/iptables
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
is supposed to allow access for SSH from only one IP (my assumption), and corresponds to this in the listing (iptables -L):
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
However, as I said, I can log in from a different IP no problem.
Thanks!
On the following CentOS site:
http://wiki.centos.org/HowTos/Network/SecuringSSH
I read that using the command below should do it:
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
that is, the above rule says allow SSH logins from IP address x.x.x.x (and presumably, from no other)
However, I am able to log in from a different IP no problem.
Here are my iptables settings (from /etc/sysconfig/iptables
__________________________
# Generated by iptables-save v1.4.7 on Wed Oct 23 11:22:21 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31:2596]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
[numerous rules which drop packes from specific IPs are removed - no poiint in listing these here]
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct 23 11:22:21 2013
__________________________
If I do a listing (iptables -L) , I see the following:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- vps-1001071-386.stwadmin.n
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ETC
So this line from /etc/sysconfig/iptables
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
is supposed to allow access for SSH from only one IP (my assumption), and corresponds to this in the listing (iptables -L):
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
However, as I said, I can log in from a different IP no problem.
Thanks!
ASKER
@duncan_roe
I'm not sure I'd want to set the policy to DROP
The machine is a web server machine.
There are two basic things I want:
Allow web access
Prevent access via ssh except for certain IPs (possibly more than one -- say 3)
To address your specific reply:
From the CentOS link above, my understanding is that
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
is a specific rule. I did try this rule, but it had no effect, or, the same effect.
Are you saying that if my default policy for INPUT was DROP instead of ACCEPT, then applying this rule:
iptables -A INPUT -p tcp -s 69.17.129.174 --dport 22 -j ACCEPT
or even:
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
I would achieve my goal for ssh?
IF SO, if the default policy is ACCEPT, what would the rule have to be to allow access from a specific IP address?
I'm not sure I'd want to set the policy to DROP
The machine is a web server machine.
There are two basic things I want:
Allow web access
Prevent access via ssh except for certain IPs (possibly more than one -- say 3)
To address your specific reply:
From the CentOS link above, my understanding is that
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
is a specific rule. I did try this rule, but it had no effect, or, the same effect.
Are you saying that if my default policy for INPUT was DROP instead of ACCEPT, then applying this rule:
iptables -A INPUT -p tcp -s 69.17.129.174 --dport 22 -j ACCEPT
or even:
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
I would achieve my goal for ssh?
IF SO, if the default policy is ACCEPT, what would the rule have to be to allow access from a specific IP address?
If you want to let a few specified ssh addresses in and no others, stay with policy ACCEPT.
All you need do is
iptables -A INPUT -p tcp -s 69.17.129.174 --dport 22 -j ACCEPT
(other ips if any)
iptables -A INPUT -p tcp --dport 22 -j DROP
This will drop all other addresses attempting to use ssh.
All you need do is
iptables -A INPUT -p tcp -s 69.17.129.174 --dport 22 -j ACCEPT
(other ips if any)
iptables -A INPUT -p tcp --dport 22 -j DROP
This will drop all other addresses attempting to use ssh.
ASKER
@duncan_roe
Hi
I tried this. Did not work.
Here is the current iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
Here is /etc/sysconfig/iptables:
__________________________ __________ __________ __________ __________ __________ _____
# Generated by iptables-save v1.4.7 on Thu Oct 24 11:21:00 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:137552]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 11:21:00 2013
__________________________ __________ __________ __________ __________ __________ __
would the state information in this line
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
cause the problem?
If not, what is wrong?
Thanks!
Hi
I tried this. Did not work.
Here is the current iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
Here is /etc/sysconfig/iptables:
__________________________
# Generated by iptables-save v1.4.7 on Thu Oct 24 11:21:00 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:137552]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 11:21:00 2013
__________________________
would the state information in this line
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
cause the problem?
If not, what is wrong?
Thanks!
ASKER
@duncan_roe
I am working another server, on which I have installed CentOS 6.4, and just finished configuring IPTABLES.
Bizzare, but adding the DROP line for SSH works fine on this machine!
Here is my current /et/sysconfig/iptables (on the live machine):
# Generated by iptables-save v1.4.7 on Thu Oct 24 16:52:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:3688]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 16:52:23 2013
and iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
On the machine I just set up (or am setting up), here is /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Oct 24 17:06:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [142:24957]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.86.66.167/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Oct 24 17:06:23 2013
and iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- 10.86.66.167 anywhere state NEW tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
========================== ========== ========
The machine I am setting up should have more recent versions of software on it -- I do a yum update when I install the OS.
Is it possible there is a 'bug' in the previous installation (for the live machine)?
In any case, I can't see what is causing the problem at this point.
I am working another server, on which I have installed CentOS 6.4, and just finished configuring IPTABLES.
Bizzare, but adding the DROP line for SSH works fine on this machine!
Here is my current /et/sysconfig/iptables (on the live machine):
# Generated by iptables-save v1.4.7 on Thu Oct 24 16:52:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:3688]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 16:52:23 2013
and iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- mail.maglin.com anywhere state NEW tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
On the machine I just set up (or am setting up), here is /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Oct 24 17:06:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [142:24957]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.86.66.167/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Oct 24 17:06:23 2013
and iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- 10.86.66.167 anywhere state NEW tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
==========================
The machine I am setting up should have more recent versions of software on it -- I do a yum update when I install the OS.
Is it possible there is a 'bug' in the previous installation (for the live machine)?
In any case, I can't see what is causing the problem at this point.
As an aside, could you please use this command for displaying your configuration in future
On your system that lets in unwanted connections, it has to be a rule that precedes the new DROP rule that's letting them in. You might well see which rule it is from the output of the the suggested command, in the packet count. Otherwise, what is interface em1?
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee report.txt
and post report.txt That's the format I'm most used to looking at.On your system that lets in unwanted connections, it has to be a rule that precedes the new DROP rule that's letting them in. You might well see which rule it is from the output of the the suggested command, in the packet count. Otherwise, what is interface em1?
ASKER
@duncan_roe
See attached: report.txt
em1 is the Nic on the machine that connects it to the Internet.
Not sure the command is providing all the info, but please take a look.
Thanks!
report.txt
See attached: report.txt
em1 is the Nic on the machine that connects it to the Internet.
Not sure the command is providing all the info, but please take a look.
Thanks!
report.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@duncan_roe
I've made adjustments per your reply and it looks to be working fine now.
If you have any recommendations on information resources for learning more, so that I will understand report.txt much better, I would appreciate it.
Thanks very much for your assistance with this.
I've made adjustments per your reply and it looks to be working fine now.
If you have any recommendations on information resources for learning more, so that I will understand report.txt much better, I would appreciate it.
Thanks very much for your assistance with this.
All I can suggest is that you [re-]read the iptables man page. That will tell you what output to expect, given the options passed to the iptables command
Not true. in the absence of a specific rule, the policy for the chain applies. This is ACCEPT, according to your posted output. You can change the chain policy to DROP - see (the output from entering in a command window) man iptables. In particular