0

I am trying to setup my networks firewall, and am having trouble because i keep getting kicked out of SSH because of mistakes. Here's what I currently have:

# Custom Rules
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -N mc
iptables -A mc --src 123.456.789.1 -j ACCEPT
iptables -A mc --src 123.456.789.2 -j ACCEPT
iptables -A mc --src 50.50.50.50 -j ACCEPT
iptables -A mc -i lo -j ACCEPT
iptables -A mc -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A mc -m state --state INVALID -j DROP
iptables -A mc -j DROP

# Server Rules (Main Server)
iptables -A INPUT -p tcp --match multiport --dports 64000:64321 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j mc
iptables -A INPUT -p tcp -m multiport ! --dports 20,21,22,80,443,9987,20117,25565 -j mc
iptables -A INPUT -j DROP

Basically:

  • Allow access to ports 64000:64321
  • Allow access on TCP (from sport 53) to ports 1024:65535
  • Allow access on UDP (from sport 53) to ports 1024:65535
  • Allow access from ICMP ping requests, from the sources listed above
  • Allow access to port 3306 using the mc rules
  • Filter access from ports 20,21,22,80,443,9987,20117,25565 through mc rules
  • Deny all other input
Improve this question
1
  • 1
    You might want to look into iptables-apply to avoid getting kicked out every time you make a mistake.
    – user2313067
    Commented May 17, 2014 at 9:10

1 Answer 1

Reset to default
0

First of all "Filter access from ports 20,21,22,80,443,9987,20117,25565 through mc rules" with this rule:
iptables -A INPUT -p tcp -m multiport ! --dports 20,21,22,80,443,9987,20117,25565 -j mc
will not work because of exclamation mark. Your rule works for every port except 20,21,22,80,443,9987,20117,25565. If you want "filter access from ports 20,21,22,80,443,9987,20117,25565 through mc rules" you should use:
iptables -A INPUT -p tcp -m multiport --dports 20,21,22,80,443,9987,20117,25565 -j mc

For now in your configuration you allow ssh access only for one source addresses cache.ovh.net - in your main INPUT rules. For connections to other ports you have rule:
iptables -A mc -m state --state RELATED,ESTABLISHED -j ACCEPT that allows related and established connections to work. I think connections with source addresses from you mc custom rules should work fine, but for your main INPUT rule you should add something like this:
iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -m state --state RELATED,ESTABLISHED -j ACCEPT
right after this line:
iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT

Also you should check DNS settings. Does ping.ovh.net resolves to the right IP address?

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .