RE: iptables rule for sshd
Didar,
Well, I don't have any rule for the OUTPUT chain and its Policy is
ACCEPT by default. There is nothing in NAT as well. However, I am quite
sure that the problem in not with my firewall rules, as when I
completely turn it off (/etc/init.d/iptables stop), the ssh client
connecting from the internet still behaves the same. It appears that it
is able to establish the connection, by is the disconnected by the
server. Either it's the ssh security configuration, or some other Debian
configuration that does this. Please advise as I am stuck with this
issue for the last two days.
Regards,
Nabil.
-----Original Message-----
From: Didar Hussain [mailto:didar@uics-india.com]
Sent: Monday, August 02, 2004 7:34 PM
To: debian-user@lists.debian.org
Subject: Re: iptables rule for sshd
On Mon, Aug 02, 2004 at 09:10:39AM +0300, NabilM@kuveytturk.com.tr
wrote:
> Dah.. :-) thanks for the help. You guys are life savers.
>
> So now I am able to ssh from the local machine. Thanks to all you
folks.
You are welcome :)
> However, when I try to connect from the Internet using ssh, it just
> disconnects me. Why is that? When I try to connect, I even see that
the
> packet count for ssh rule in the INPUT chain gets an increase of four
> packets. Are there other thing I need to look into like host.allow and
> stuff? I can ping the machine from the internet because I have a
> firewall rule for icmp-type echo-reply. Any ideas why it doesn't like
> ssh connections, even after having the ssh ACCEPT rule.
I hope you have a corresponding entry for "ssh" in your OUTPUT
chain as well. You could send your configuration by doing:
iptables -L -nv > Filter.txt
iptables -L -nv -t nat > Nat.txt
And then just attach the Filter.txt and Nat.txt files.
> Also, since I am new, I am having lots of problems in guessing what
> packets are coming in and what rules need to be added. Is there a GOOD
> way to analyze the packets traversing through my interfaces? I know
that
> I can add the -j LOG rule, but that is too hard to read, or perhaps is
> there a better way to analyze these logs?
Well I use tethereal or tcpdump. Also you might try the "evil" ettercap.
Take care,
Didar
DISCLAIMER:
Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz.
This e-mail & its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail & its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
Reply to: