[techtalk] packet filtering and ssh
Jamie Walker
jamiew at clear.net.nz
Tue Nov 23 20:15:40 EST 1999
Jennifer Tippens wrote:
> I'm using ipchains to filter packets. I have pop open from the outside
> so we can check our mail from home, I do not allow telnet into the box
> or ftp for that matter. How do I open up port 22 for ssh connections?
> I've tried:
> $IPCHAINS -A input -i $E_IF -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
> and this seems not to work. Any suggestions?
Okay, firstly this wouldn't work if there's a DENY or REJECT rule added
earlier which matches the SSH packets. ie, you can't deny everything
then allow SSH - it needs to be done the other way round.
Secondly I'm not sure if 0/0 is valid - but 0.0.0.0/0 definitely is.
Incidentally in the example you've given the -s for source port is
redundant as if not specified it'll match anything anyway.
Thirdly, do you have any DENY or REJECT rules on your output chain that
would match the outgoing SSH traffic?
Fourthly, try adding a -l to all your DENY or REJECT rules (if you don't
have it already) so ipchains will log to syslog (usually
/var/log/messages) all packets it drops.
Hope one or other of these suggestions helps :-)
--
Email: jamiew at clear.net.nz
Phone: +64-21-870-425
ICQ: 5632563
or shout loudly
************
techtalk at linuxchix.org http://www.linuxchix.org
More information about the Techtalk
mailing list