Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to come to grips with iptables.
Each time I change my default policy from accept to drop, I am then are unable to ssh back into my server, even though I have tried a number of different commands.
The server I am using is a virtual one, a vmware-server. I am using PuTTy from a windows machine to ssh in.
I am running Debian & have only the one network card.
The sever ip is 192.168.39.201, my ip is 192.168.1.101
This is the kind of script I am running. I have also left in some of the commented out sections I have tried.
#! /bin/bash
# Clean old firewall
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow ssh from 192.168.1.101
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp -s 192.168.1.101 -d 192.168.39.201 --sport 22 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -s 192.168.39.201 -d 192.168.1.101 -p tcp --sport 22 --dport 22 -m state --state ESTABLISHED -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
I think your troubles must have to do with the fact your server is virtual. W/o virtualization, the last two commands would allow unlimited access to everything on the subnet. I can't help you with virtualization, but I believe there are some articles on the Internet about how to use iptables with a virtual server.
If it is something to do with the actual virtualization, I had a look for anything that could help, but what I found I think is a bit beyond the scope of what I can do at the moment.
Any help to point me in the right direction would be greatly appreciated.
I while back I was trying to help somebody else out with iptables on a virtual server and quickly got in over my head. I have almost no experience with virtualization, and certainly nothing like this. Maybe somebody else can point you in the right direction.
After trying it on the same subnet, & then playing around with it I found (short version)
#! /bin/bash
# Clean old firewall
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s 192.168.39.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.39.0/24 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.10 -m state --state ESTABLISHED -j ACCEPT
The (virtual) host computer's subnet(not ip) has to given access, then the remote computer.
I've think I have it working, but had make the virtual computer host's network have unlimited access. Not sure why, but at least it works for now & I'll see what happens next.
# Allow ssh from 192.168.1.10
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.10 -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s 192.168.39.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.39.0/24 -m state --state ESTABLISHED -j ACCEPT
First so much i see you vmware's nic adapter was set to nat not the bridge,and it's clear it the nat are chose you just can connect you win from you server at reverse .so change the nic config on the vmware.
All you best.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.