On Wednesday, 09.02.2005 at 16:45 +0100, Manfred Sampl wrote: > > [...] > > > > For every INPUT you need apropriate OUTPUT rule :) > > I don't know your configuration or how exactly you are connected to the > > network but for ssh you should probably have to add: > > > > $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT > > $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT > > I didn't include the OUTPUT rules, because I thought the wrong rule is > in the INPUT chain, but I was wrong. For IP tables, it always helps to see all chains since they can affect each other in unusual ways :-) > Logging and trial and error helped > me find a wrong output rule: > > $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -j ACCEPT > $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT When I have INPUT rules to allow special types of traffic in, such as SSH, I usually find that the best corresponding OUTPUT rules are to allow ESTABLISHED and RELATED, rather than on the source ports of the services one is allowing: which means that you won't need to add additional OUTPUT rules if you later allow a different special service in. This is probably just a matter of taste, though. Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature