iptables prevents connection via ssh after port change despite ACCEPT rule

ssh centos putty sshd timeout

6,119

The REJECT rule has to come after the new rules. Do this:

$ sudo service iptables stop
[sudo] password for kev:
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
$ sudo nano /etc/sysconfig/iptables
$ sudo service iptables start

When nano opens, cut the REJECT line and uncut it below the two new rules, then writeout and quit.

Also, you'll need to ssh from localhost just once before you can do it from the outside.

6,119

Kev

I have been programming almost since the cradle. I am mostly based in Europe and remote (or mostly remote) programming jobs for EUR or CHF are my ideal. If you don't mind the time zone difference, I have successfully worked with North American companies from here before (EST and PST, but it depends on your requirements.)

Updated on September 18, 2022

Comments

Kev over 1 year
I have two machines hooked up to a router, one Windows with PuTTY, and one CentOS 6.4 with sshd and with the default SELinux still enabled. They can both ping each other successfully.

I installed the policycore-python package so I could use semanage, then followed these directions.

Step 4 looked like it's the new default, since it was already set up that way.

Step 5 worked and I assume the stuff about ~/.ssh/config is for setting up your ssh client on another machine, so it doesn't apply (I can do something similar in PuTTY.)

Step 6 I figured the shortest and most applicable thing was the third option, so I ran:
```
iptables -A INPUT -p tcp --dport 2345 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 2345 --syn -j DROP
service iptables save
service iptables restart
```
At this point, I can do ssh -p 2345 localhost and also ssh -p 2345 192.168.1.4 on the CentOS box and log into itself fine, but I can no longer PuTTY into the CentOS box. I put the right IP and port 2345 in the connection window, but upon attempting to connect, I get a black screen with a solid green cursor, which, after a few seconds, gives a GUI popup saying Network error: Connection timed out.

If I stop the iptables service, I can log in using PuTTY the same way. So it seems the problem is definitely with iptables and not sshd (nor semanage?).

What's wrong with my iptables?
```
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 3
DROP       tcp  --  anywhere             anywhere            tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
```
- Ludwig Schulze almost 11 years
  
  Is sshd really listening that port for the network interface? Try lsof -i :2345, also post your iptables -L rules.
- Kev almost 11 years
  
  @Braiam please see question update.
- Ludwig Schulze almost 11 years
  
  You sure configured putty to use port 2345 and sshd to listen same port when you cleared the iptables? Also verify that your iptables accepts connections to port 2345
- Kev almost 11 years
  
  @Braiam, yes, otherwise I wouldn't be able to log in via PuTTY after service iptables stop, right? And I'm not sure how to verify what you said--I provided iptables -L output in my edit but I'm an iptables n00b.
- Kev almost 11 years
  
  @Braiam, Also lsof returns command not found or something like that.
- Ludwig Schulze almost 11 years
  
  lsof should be run as root and why just not using some gui or helper to make the iptables rules.
- Kev almost 11 years
  
  @Braiam, I don't have a GUI. Do you have a recommended command-line tool? I'd be interested, but as I said, I don't understand why an out-of-the-box iptable won't work with the commands from the official wiki.
- Ludwig Schulze almost 11 years
  
  It's because you are mixing old rules with new rules and the wiki assumes you are configuring iptables from scratch. Flush your tables, use the rules the wiki says and save your table. It should work.