possible problem with scp/ssh/telnet
Paul Allen Newell
pnewell at cs.cmu.edu
Mon Aug 13 19:54:19 UTC 2012
On 8/13/2012 10:34 AM, David G. Miller wrote:
>
>
> The rules in /etc/sysconfig/iptables are processed sequentially. When a packet
> matches a rule the rule is applied. ACCEPT rules tell iptables to hand off the
> packet to the corresponding service.
>
> # more /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.12 on Sat Aug 11 23:29:10 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
>
> The next line in your iptables file is your "ACCEPT" rule for connections to
> port 22. iptables stops processing the packet and hands it off to sshd at this
> point.
>
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 127.0.0.1/32 -d 192.168.2.0/24 -p udp -m state --state NEW -m udp --
> dport 631
> -A INPUT -s 127.0.0.1/32 -d 192.168.2.0/24 -p tcp -m state --state NEW -m tcp --
> dport 631
>
> Here's your logging line. Since packets coming in to port 22 have already been
> handed off to sshd, this rule is never hit for them.
>
> -A INPUT -j LOG --log-prefix "<IPTABLES: LOG REJECT> "
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Sat Aug 11 23:29:10 2012
> [root <at> yoyo ~]#
> +++
>
> I use logging rules like this a lot. The only thing you need to be careful
> about is putting a blanket logging rule too early in your iptables file. You
> can get swamped with too much data really easily.
>
> Cheers,
> Dave
>
Dave:
Thanks for the reply and pointing out what I missed. I remember exactly
what happened here. I didn't used to have the udp rule so that log would
be last, but discovered installing the printer added -dport 631 rules
so, after consulting the list, I cleaned them up but left them where
they had been added. I can see the hits for the printer in the log.
That being said, I would still expect a failure in tcp to show up in the
log if they are not accepted in the tcp line as everything that isn't an
accept should continue being processed until the log and reject?
So, do I gather from this that iptables is accepting the tcp request and
the problem is happening at sshd (which I also think would make sense if
I believe that the error is on the receiving cygwin/WinXP machine and
not on the Fedora box)?
Second question, is there a way to log when something is going to be
accepted so, when the error crops up again, the iptables will log every
tcp it accepts (and only tcps it accepts)? I'm trying to figure out how
to gather enough debug material so when I need it I can get everything I
need (and, until I understand the problem, potentially more than
everything)
Paul
More information about the users
mailing list