IPTables block SSH users

Support for security such as Firewalls and securing linux
Post Reply
rutekp
Posts: 15
Joined: 2007/10/07 07:42:34

IPTables block SSH users

Post by rutekp » 2007/10/07 07:50:04

Hello,

I have users in sshd_config: AllowUsers first_user second_user root.
OS version: CentOS release 4.5 (Final) with all updates.

If I applied firewall rules which is below I can't login to normal user over SSH - wrong password. On root can login. Even more, if after that rules use 'iptables -F; iptables -X' I can't login too. Must restart server then everything work good but till next firewall rules applied. Why it could happen ?

#!/bin/sh
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000:6030 -j ACCEPT
iptables -A INPUT -p tcp --dport 27 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p tcp -j ACCEPT -m state --state RELATED
iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p udp -j ACCEPT -m state --state RELATED
iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state RELATED
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

IPTables block SSH users

Post by yyagol » 2007/10/12 07:24:34

After you do iptables -F , make sure the policy is also accept .

p.s.
you can use one line for ESTABLISHED,RELATED that will include
all you're 6 lines in 1.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

rutekp
Posts: 15
Joined: 2007/10/07 07:42:34

Re: IPTables block SSH users

Post by rutekp » 2007/10/22 17:05:14

Nothing help : :-(

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpts:x11:6030
ACCEPT tcp -- anywhere anywhere tcp dpt:27
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:3000
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Post Reply

Return to “CentOS 4 - Security Support”