Setting up a local firewall
bjorn at ruberg.no
Mon Aug 1 14:49:53 CEST 2005
Bryan Christ <bryan.christ at filefront.com> writes:
> I locked myself out of my server until I rebooted it. My goal was to lock down everything and allow only SSH connectivity. Can anyone show me where my logic went wrong? Here was the fatal script which I wrote:
> /sbin/iptables -F INPUT
> /sbin/iptables -A INPUT -s 0/0 -j DROP
First, you drop EVERYTHING from EVERYWHERE.
> /sbin/iptables -A INPUT -s 0/0 -m state --state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT
Then you allow SSH from everywhere else, which is... NOWHERE.
> My guess is that I missed accepting syn packets, but I'm not ready to "try" again.
Instead, get familiar with the principle that "order does matter".
More information about the netfilter