updated

Source Link

edited Jul 5, 2013 at 13:06

1.8k
4
27
48

iptables prevents other box from connectingconnection via ssh after port change despite ACCEPT rule

I have two machines onhooked up to a networkrouter, one Windows with PuTTY, and one CentOS 6.4 with sshd and with the default SELinux still enabled. They can both ping each other successfully.

iptables -A INPUT -p tcp --dport 2345 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 2345 --syn -j DROP
service iptables save
service iptables restart

Just in case I did service iptables restart after that.

That's where I stopped for now. AtAt this point, I can do ssh -p 2345 localhost and also ssh -p 2345 192.168.1.4 on the CentOS box and log ininto itself fine, but I can no longer PuTTY into the CentOS box. I put the right IP and port 2345 in the connection window, but upon attempting to connect, I get a black screen with a solid green cursor, which, after a few seconds, gives a GUI popup:

---------------------------
PuTTY Fatal Error
---------------------------
Network error: Connection timed out
---------------------------
OK   
---------------------------

My router is even set up to forward port 2345 to 2345 on the CentOS box's IP, but I'm guessing that doesn't affect things here at this point, since I'm connecting from within the network saying Network error: Connection timed out.

UPDATE: FromIf I a comment on an articlestop the iptables service, I tried service iptables stop and then found that I couldcan log in using PuTTY the same way. So it seems the problem is definitely with iptables and not sshd (nor semanage?). I've heard recommendations to use CSF/LFD and some u-something-something tool for firewall management, but I'm curious as to why following

What's wrong with my iptables instructions verbatim didn't work. iptables -L gives:?

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 3
DROP       tcp  --  anywhere             anywhere            tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

How can I have iptables running but still log in from outside the box?

iptables prevents other box from connecting via ssh after port change

I have two machines on a network, one Windows with PuTTY, and one CentOS 6.4 with sshd and with the default SELinux still enabled.

iptables -A INPUT -p tcp --dport 2345 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 2345 --syn -j DROP

Just in case I did service iptables restart after that.

That's where I stopped for now. At this point, I can do ssh -p 2345 localhost on the CentOS box and log in fine, but I can no longer PuTTY into the CentOS box. I put the right IP and port 2345 in the connection window, but upon attempting to connect, I get a black screen with a solid green cursor, which, after a few seconds, gives a GUI popup:

---------------------------
PuTTY Fatal Error
---------------------------
Network error: Connection timed out
---------------------------
OK   
---------------------------

My router is even set up to forward port 2345 to 2345 on the CentOS box's IP, but I'm guessing that doesn't affect things here at this point, since I'm connecting from within the network.

UPDATE: From a comment on an article, I tried service iptables stop and then found that I could log in using PuTTY. So it seems the problem is definitely with iptables and not sshd (nor semanage?). I've heard recommendations to use CSF/LFD and some u-something-something tool for firewall management, but I'm curious as to why following iptables instructions verbatim didn't work. iptables -L gives:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

How can I have iptables running but still log in from outside the box?

iptables prevents connection via ssh after port change despite ACCEPT rule

I have two machines hooked up to a router, one Windows with PuTTY, and one CentOS 6.4 with sshd and with the default SELinux still enabled. They can both ping each other successfully.

iptables -A INPUT -p tcp --dport 2345 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 2345 --syn -j DROP
service iptables save
service iptables restart

At this point, I can do ssh -p 2345 localhost and also ssh -p 2345 192.168.1.4 on the CentOS box and log into itself fine, but I can no longer PuTTY into the CentOS box. I put the right IP and port 2345 in the connection window, but upon attempting to connect, I get a black screen with a solid green cursor, which, after a few seconds, gives a GUI popup saying Network error: Connection timed out.

If I stop the iptables service, I can log in using PuTTY the same way. So it seems the problem is definitely with iptables and not sshd (nor semanage?).

What's wrong with my iptables?

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 3
DROP       tcp  --  anywhere             anywhere            tcp dpt:2345 flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

better title

Link

edited Jul 5, 2013 at 1:08

Kev

1.8k
4
27
48

Can't iptables prevents other box from connecting via ssh into new CentOS install after port change

added 74 characters in body

Source Link

edited Jul 4, 2013 at 15:32

Kev

1.8k
4
27
48

How can I have iptables running but still log in from outside the box?

added update

Source Link

edited Jul 4, 2013 at 15:03

Kev

1.8k
4
27
48

Loading

Source Link

asked Jul 4, 2013 at 14:46

Kev

1.8k
4
27
48

Loading

Stack Exchange Network

Return to Question

iptables prevents other box from connectingconnection via ssh after port change despite ACCEPT rule

iptables prevents other box from connecting via ssh after port change

iptables prevents connection via ssh after port change despite ACCEPT rule

Can't iptables prevents other box from connecting via ssh into new CentOS install after port change