Iptables trouble
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Iptables trouble
I need some clarification.
I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?
I'm confused. But, hey. What's new. lol
Thanks for reading.
I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?
I'm confused. But, hey. What's new. lol
Thanks for reading.
Re: Iptables trouble
Is the system from which you are trying to connect via SSH in the same LAN?
If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.
If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Iptables trouble
My Iptable be lookin likesupertight wrote:I need some clarification.
I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?
I'm confused. But, hey. What's new. lol
Thanks for reading.
Code: Select all
# Flush all current rules from iptables
iptables -F
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Http/ Https/ ssh/ svr5/
iptables -A INPUT -s 192.168.1.0/24 -m mac --mac-source 70:88:6b:81:63:2d -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP ECHO (ping) =
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Save settings
/sbin/service iptables save
# List rules
iptables -L -v
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Iptables trouble
I have the key pairs setup. As soon as I get this firewall thing figured out, I can put those into play.Whoever wrote:Is the system from which you are trying to connect via SSH in the same LAN?
If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.
I'm hosting a few different domains. I have a server setup as a reverse proxy running NGINX.
I want the hosting servers to accept requests from my proxy server only.
Edit: Yes, they are on the same LAN.
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Iptables trouble
I just don't get it.
Works. Works fiiiiine.
Trying to tighten the rule? NO LUCK!! lol
Add the IP:
Add the IP and MAC:
S'not working.
Code: Select all
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Trying to tighten the rule? NO LUCK!! lol
Add the IP:
Code: Select all
iptables -A INPUT -p tcp -s ###.###.###.15 --dport 22 -j ACCEPT
Code: Select all
iptables -A INPUT -p tcp -s ###.###.###.15 -m --mac-address ##:##:##:##:##:## --dport 22 -j ACCEPT
Re: Iptables trouble
Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Iptables trouble
Oi, Mate.TrevorH wrote:Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.
Code: Select all
cd iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any 192.168.1.15 anywhere tcp dpt:ssh
2 104 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
pkts bytes target prot opt in out source destination
The server is 192.168.1.12
The client is 192.168.1.15
Cheers -
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Iptables trouble
- Turned the tables off from the console.supertight wrote:Oi, Mate.TrevorH wrote:Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.Code: Select all
cd iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any 192.168.1.15 anywhere tcp dpt:ssh 2 104 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes) pkts bytes target prot opt in out source destination
The server is 192.168.1.12
The client is 192.168.1.15
Cheers -
- SSH into the system from .15
- Ran firewall script, with rule:
Code: Select all
iptables -A INPUT -p tcp -s 192.168.1.15 --dport 22 -j ACCEPT
I'm going to try and add
Code: Select all
-m state --state NEW
Re: Iptables trouble
That's not what I asked for. Run iptables-save and post the output.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 171
- Joined: 2017/02/07 21:47:51
Re: Iptables trouble
I figured out what was going on....
- The server was 192.168.10.5(the earlier number was false)
- The client has two(2) interfaces, that's was the beginning of my headache. (eth0=192.168.1.15 & eth1=192.168.10.3)
- I can write the rule for 192.168.10.3 and I get access.
If I try to set to rule to 192.168.1.15 and -b to eth1, the rule doesn't work.
- Then it dawned on me. The router between the subnet's changes the ip on the packet.
- eth1 comes into the router @ "192.168.1.15" But leaves the router "192.168.10.2"
Thanks for helping work it out guys. I can carry on with my configurations now.
- The server was 192.168.10.5(the earlier number was false)
- The client has two(2) interfaces, that's was the beginning of my headache. (eth0=192.168.1.15 & eth1=192.168.10.3)
- I can write the rule for 192.168.10.3 and I get access.
If I try to set to rule to 192.168.1.15 and -b to eth1, the rule doesn't work.
- Then it dawned on me. The router between the subnet's changes the ip on the packet.
- eth1 comes into the router @ "192.168.1.15" But leaves the router "192.168.10.2"
Thanks for helping work it out guys. I can carry on with my configurations now.