Re: IPTABLES brain fade... help!

[Michael]

What's not working?  Everything? 

Just SSh?  This is all you really need:
- iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
If you must use your fancy pants SSh rule, I would suggest inserting (-I) it 
before your drop rules:
$IPTables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW,ESTABLISHED 
-j ACCEPT

I don't think you need the SSh OUPUT rule because iptables is a stateful 
firewall.

Clients can't connect to the internet?  You have no MASQ rule.
- iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Cheers,
Michael.

Steve Holdoway wrote:
I'm trying to set up a basic firewall - as a start, I'm just trying to have ssh 
traffic and nothing else running. However, this just doesn't work. What am I 
doing wrong?

Script... ( eth0 *is* internet facing, and nothing upstream is interfering )

# Default policy drop everything
$IPTables -P INPUT DROP
$IPTables -P FORWARD DROP
$IPTables -P OUTPUT DROP

# Initialise the firewalling
# 1. Flush tables
$IPTables -F INPUT
$IPTables -F OUTPUT
$IPTables -F FORWARD

# 2. Set up input stuff. 
# Loopback's good.
$IPTables -A INPUT -i lo -j ACCEPT
$IPTables -A OUTPUT -s 127.0.0.0/24 -j ACCEPT

$IPTables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# No non-routable IP address sources
$IPTables -A INPUT -p tcp -i eth0 -s 192.168.0.0/16 -j DROP
$IPTables -A INPUT -p tcp -i eth0 -s 172.16.0.0/12 -j DROP
$IPTables -A INPUT -p tcp -i eth0 -s 10.0.0.0/8 -j DROP

# Allowed services - just ssh atm.
$IPTables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW,ESTABLISHED 
-j ACCEPT

# 3. Set up output stuff.
$IPTables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT




# iptables --list -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
    0     0 DROP       tcp  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       tcp  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       127.0.0.0/24         0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED