[Cialug] IPTables Concept

Jeffrey C. Ollie jeff at ocjtech.us
Thu Oct 26 21:50:06 CDT 2006 

On Thu, 2006-10-26 at 20:39 -0500, Chris K. wrote:
> Thanks for the response Josh.
> 
> I have made some progress but I am stumped on the ssh connection 
> currently, considering the super-restrictive outbound rules.
> 
> Here is what I currently have:
> 
> # Flush all chains
> /sbin/iptables --flush
> 
> # Allow unlimited traffic on the loopback interface
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Set default policies
> /sbin/iptables --policy INPUT DROP
> /sbin/iptables --policy OUTPUT DROP
> /sbin/iptables --policy FORWARD DROP
> 
> # Rules for services hosted on server
> /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
> /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Now when I try to ssh to it, I get the following:
> workstation:~# ssh -vv user at silo.icbm.com
> OpenSSH_4.3p2 Debian-5, OpenSSL 0.9.8c 05 Sep 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to edge [192.168.1.1] port 22.
> 
> And there it just hangs.
> 
> Now, if I change
> /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> to
> /sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> I am able to login via ssh, but this rule violates the spirit of this 
> exercise by allowing any traffic out of the server.
> I think my shortcoming is understanding exactly how ssh establishes 
> connections.

The "-m state --state NEW" only allows the initial TCP ACK that starts
the SSH connection, so basically you are only allowing the 1st packet of
a TCP connection and dropping the rest.  What you need to do is add a
rule like this:

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

After the 1st packet of the TCP connection, all subsequent packets are
considered ESTABLISHED.

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://cialug.org/pipermail/cialug/attachments/20061026/59f91908/attachment.pgp

More information about the Cialug mailing list