SSH fails on 22 - Restrictive rules

Rob Sterenborg rob at sterenborg.info
Mon Nov 14 14:14:34 CET 2005


On Sun, November 13, 2005 23:44, P theodorou wrote:
> Hello
>
> i'm testing my SSH server from an external IP (my mate's pc)
> and i've noticed than whenever i allow connections on eth0 with dport
> 22 i can see the username login page BUT, if apply the following
> rules the usual user name cannot be displayed
>
> $IPTABLES -A TCPbad -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
> --state NEW -j REJECT --reject-with tcp-reset
> $IPTABLES -A TCPbad -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL FIN -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL NONE -j DROP
> $IPTABLES -A TCPbad -p tcp --tcp-flags ALL ALL -j DROP
>
> any help very appreciated

I don't know what rule would cause that, but you could of course add a
logging rule before each DROP so you know which rule is the problem.
Or, start without these rules, and add them each at a time so you can
test when ssh doesn't work anymore.


Gr,
Rob





More information about the netfilter mailing list