1

I'm running Arch Linux and I have a running SSH daemon to access my machine when I'm out side my LAN. I can do the connection, but iptables keeps blocking SSH Daemon, so I can only connect if I turn off the firewall. I'm running SSH on port 5000.

My iptables rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j REJECT --reject-with icmp-proto-unreachable 

# SSH
-A INPUT -p tcp --dport 22 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 5000 -j ACCEPT

# VNC
-A INPUT -p tcp --dport 5001 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 --dport 5001 -j ACCEPT

# HTTP/HTTPS
-A INPUT -p tcp --dport 80 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 8080 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -p tcp --dport 443 -j REJECT --reject-with icmp-host-unreachable

-A INPUT -p tcp -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 --dport 80 -j ACCEPT
Improve this question
1
  • it looks like you have the REJECT rule ahead of the application-ACCEPT rules; try moving it to the end? Commented Aug 28, 2015 at 21:03

1 Answer 1

Reset to default
1

You have to reorder the iptables rules.

You can't connect to your sshd because the rules are checked in line for line. And you already told iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset = reject ALL tcp traffic. Even you later tell him to accept connections to port 5000 it doesn't matter - you already rejected those connections.

So when you write iptables rules, think about the order: first insert those things you want to allow, then reject the rest.

Improve this answer
1
  • Alright it makes sense. I thought that it was the other way around Commented Aug 28, 2015 at 21:09

You must log in to answer this question.