iptables prevents connection via ssh after port change despite ACCEPT rule
The REJECT
rule has to come after the new rules. Do this:
$ sudo service iptables stop
[sudo] password for kev:
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
$ sudo nano /etc/sysconfig/iptables
$ sudo service iptables start
When nano opens, cut the REJECT
line and uncut it below the two new rules, then writeout and quit.
Also, you'll need to ssh from localhost just once before you can do it from the outside.
Related videos on Youtube
Kev
I have been programming almost since the cradle. I am mostly based in Europe and remote (or mostly remote) programming jobs for EUR or CHF are my ideal. If you don't mind the time zone difference, I have successfully worked with North American companies from here before (EST and PST, but it depends on your requirements.)
Updated on September 18, 2022Comments
-
Kev over 1 year
I have two machines hooked up to a router, one Windows with PuTTY, and one CentOS 6.4 with sshd and with the default SELinux still enabled. They can both ping each other successfully.
I installed the policycore-python package so I could use
semanage
, then followed these directions.Step 4 looked like it's the new default, since it was already set up that way.
Step 5 worked and I assume the stuff about
~/.ssh/config
is for setting up your ssh client on another machine, so it doesn't apply (I can do something similar in PuTTY.)Step 6 I figured the shortest and most applicable thing was the third option, so I ran:
iptables -A INPUT -p tcp --dport 2345 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT iptables -A INPUT -p tcp --dport 2345 --syn -j DROP service iptables save service iptables restart
At this point, I can do
ssh -p 2345 localhost
and alsossh -p 2345 192.168.1.4
on the CentOS box and log into itself fine, but I can no longer PuTTY into the CentOS box. I put the right IP and port 2345 in the connection window, but upon attempting to connect, I get a black screen with a solid green cursor, which, after a few seconds, gives a GUI popup sayingNetwork error: Connection timed out
.If I stop the iptables service, I can log in using PuTTY the same way. So it seems the problem is definitely with
iptables
and notsshd
(norsemanage
?).What's wrong with my
iptables
?$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- anywhere anywhere tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 3 DROP tcp -- anywhere anywhere tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
-
Ludwig Schulze almost 11 yearsIs sshd really listening that port for the network interface? Try
lsof -i :2345
, also post youriptables -L
rules. -
Kev almost 11 years@Braiam please see question update.
-
Ludwig Schulze almost 11 yearsYou sure configured putty to use port 2345 and sshd to listen same port when you cleared the iptables? Also verify that your iptables accepts connections to port 2345
-
Kev almost 11 years@Braiam, yes, otherwise I wouldn't be able to log in via PuTTY after
service iptables stop
, right? And I'm not sure how to verify what you said--I providediptables -L
output in my edit but I'm aniptables
n00b. -
Kev almost 11 years@Braiam, Also
lsof
returnscommand not found
or something like that. -
Ludwig Schulze almost 11 years
lsof
should be run as root and why just not using some gui or helper to make theiptables
rules. -
Kev almost 11 years@Braiam, I don't have a GUI. Do you have a recommended command-line tool? I'd be interested, but as I said, I don't understand why an out-of-the-box iptable won't work with the commands from the official wiki.
-
Ludwig Schulze almost 11 yearsIt's because you are mixing old rules with new rules and the wiki assumes you are configuring iptables from scratch. Flush your tables, use the rules the wiki says and save your table. It should work.
-