PDA

Bekijk de volledige versie : dropbear / ssh from wan



yilias
24-04-2005, 08:39
Hello all.

Just upgraded to 1.9.2.7-4 and activated dropbear ssh deamon. Now i want to access it from wan, but i can not get it to work. (cause probably lack of knowledge in the iptables part)

This is the rule i have in my iptables :



Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
logdrop all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request
ACCEPT udp -- anywhere 192.168.1.2 udp dpt:11747
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:12797
ACCEPT tcp -- anywhere 192.168.1.100 tcp dpt:6881
ACCEPT udp -- anywhere 192.168.1.100 udp dpt:6881
ACCEPT tcp -- anywhere 192.168.1.1 tcp dpt:ssh

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (4 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all -- anywhere anywhere


is this correct?

thanks

Oleg
24-04-2005, 09:14
No, it should be added to the INPUT chain (not FORWARD), before the last rule.

yilias
24-04-2005, 09:22
Could you give an example? i'm a bit worried when i do something wrong i will wrek my iptables settings.

tnx

Kitsok
24-04-2005, 19:50
iptables -I INPUT -m tcp -p tcp --dport 22 -j ACCEPT