Page 1 of 2
Iptables trouble
Posted: 2017/06/02 22:15:55
by supertight
I need some clarification.
I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?
I'm confused. But, hey. What's new. lol
Thanks for reading.
Re: Iptables trouble
Posted: 2017/06/03 01:59:30
by Whoever
Is the system from which you are trying to connect via SSH in the same LAN?
If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.
Re: Iptables trouble
Posted: 2017/06/03 02:31:16
by supertight
supertight wrote:I need some clarification.
I set a table rule for the IP/MAC of my main work station. Once I set the rule, the server should accept EVERYTHING from that MAC/IP combo, correct?
Because It keeps locking me out of ssh regardless. Do I need to set a table rule that allows each individual service to that mac/ip combo?
I'm confused. But, hey. What's new. lol
Thanks for reading.
My Iptable be lookin like
Code: Select all
# Flush all current rules from iptables
iptables -F
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Http/ Https/ ssh/ svr5/
iptables -A INPUT -s 192.168.1.0/24 -m mac --mac-source 70:88:6b:81:63:2d -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP ECHO (ping) =
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Save settings
/sbin/service iptables save
# List rules
iptables -L -v
Re: Iptables trouble
Posted: 2017/06/03 02:47:57
by supertight
Whoever wrote:Is the system from which you are trying to connect via SSH in the same LAN?
If you are concerned about security for ssh, you should probably disable password authentication in /etc/ssh/sshd_config. Use ssh public/private key pairs instead.
I have the key pairs setup. As soon as I get this firewall thing figured out, I can put those into play.
I'm hosting a few different domains. I have a server setup as a reverse proxy running NGINX.
I want the hosting servers to accept requests from my proxy server only.
Edit: Yes, they are on the same LAN.
Re: Iptables trouble
Posted: 2017/06/03 03:50:46
by supertight
I just don't get it.
Code: Select all
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Works. Works fiiiiine.
Trying to tighten the rule? NO LUCK!! lol
Add the IP:
Code: Select all
iptables -A INPUT -p tcp -s ###.###.###.15 --dport 22 -j ACCEPT
Add the IP and MAC:
Code: Select all
iptables -A INPUT -p tcp -s ###.###.###.15 -m --mac-address ##:##:##:##:##:## --dport 22 -j ACCEPT
S'not working.
Re: Iptables trouble
Posted: 2017/06/03 12:20:28
by TrevorH
Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.
Re: Iptables trouble
Posted: 2017/06/03 15:35:19
by supertight
TrevorH wrote:Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.
Oi, Mate.
Code: Select all
cd iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any 192.168.1.15 anywhere tcp dpt:ssh
2 104 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
pkts bytes target prot opt in out source destination
The server is 192.168.1.12
The client is 192.168.1.15
Cheers -
Re: Iptables trouble
Posted: 2017/06/03 16:19:43
by supertight
supertight wrote:TrevorH wrote:Post the output from iptables-save with one of the non-working rules in place. Also what are the ip addresses of both server and client.
Oi, Mate.
Code: Select all
cd iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any 192.168.1.15 anywhere tcp dpt:ssh
2 104 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
pkts bytes target prot opt in out source destination
The server is 192.168.1.12
The client is 192.168.1.15
Cheers -
- Turned the tables off from the console.
- SSH into the system from .15
- Ran firewall script, with rule:
Code: Select all
iptables -A INPUT -p tcp -s 192.168.1.15 --dport 22 -j ACCEPT
- Existing SSH connection remains stable.
I'm going to try and add
Re: Iptables trouble
Posted: 2017/06/03 16:35:06
by TrevorH
That's not what I asked for. Run iptables-save and post the output.
Re: Iptables trouble
Posted: 2017/06/03 19:17:22
by supertight
I figured out what was going on....
- The server was 192.168.10.5(the earlier number was false)
- The client has two(2) interfaces, that's was the beginning of my headache. (eth0=192.168.1.15 & eth1=192.168.10.3)
- I can write the rule for 192.168.10.3 and I get access.
If I try to set to rule to 192.168.1.15 and -b to eth1, the rule doesn't work.
- Then it dawned on me. The router between the subnet's changes the ip on the packet.
- eth1 comes into the router @ "192.168.1.15" But leaves the router "192.168.10.2"
Thanks for helping work it out guys. I can carry on with my configurations now.