[techtalk] packet filtering and ssh

Jamie Walker jamiew at clear.net.nz
Tue Nov 23 20:15:40 EST 1999

Jennifer Tippens wrote:

> I'm using ipchains to filter packets.  I have pop open from the outside
> so we can check our mail from home, I do not allow telnet into the box
> or ftp for that matter.  How do I open up port 22 for ssh connections?
> I've tried:
> $IPCHAINS -A input -i $E_IF -p tcp -s 0/0 -d 0/0 22 -j ACCEPT
> and this seems not to work.  Any suggestions?

Okay, firstly this wouldn't work if there's a DENY or REJECT rule added
earlier which matches the SSH packets. ie, you can't deny everything
then allow SSH - it needs to be done the other way round.

Secondly I'm not sure if 0/0 is valid - but definitely is.
Incidentally in the example you've given the -s for source port is
redundant as if not specified it'll match anything anyway.

Thirdly, do you have any DENY or REJECT rules on your output chain that
would match the outgoing SSH traffic?

Fourthly, try adding a -l to all your DENY or REJECT rules (if you don't
have it already) so ipchains will log to syslog (usually
/var/log/messages) all packets it drops.

Hope one or other of these suggestions helps :-)

Email: jamiew at clear.net.nz
Phone: +64-21-870-425
  ICQ: 5632563
or shout loudly

techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list