[vox-tech] SSH On Home Network

Mike Simons vox-tech@lists.lugod.org
Mon, 10 Mar 2003 19:18:04 -0500


On Mon, Mar 10, 2003 at 04:00:04PM -0800, ME wrote:
> Looking at the output from the iptables, I dont see a rule permitting
> packets with a syn flag set to port 22 for ssh.

Perhaps I've read it wrong... but

- The only TCP reject rule that has killed *any* packets got 6 packets.

- The machine is set to reply by icmp-port-unreachable and he is getting
  a no-route-to-host.

- There are no rules that appear to block ICMP traffic and her can't
  ping.

  So he has got to be testing the wrong IP... or have something
else preventing his tests from reaching the eth device.

    TTFN,
      Mike

# Chain RH-Lokkit-0-50-INPUT (1 references)
#  pkts bytes target     prot opt in     out     source 
#     0     0 ACCEPT     tcp  --  *      *      0.0.0.0/0
#     0.0.0.0/0          tcp dpt:22 flags:0x16/0x02 

#     6   360 REJECT     tcp  --  *      *      0.0.0.0/0
#     0.0.0.0/0          tcp dpts:0:1023 flags:0x16/0x02 reject-with
#     icmp-port-unreachable 

> (Background: this is take from examination of the "flags" section, and
> having an understanding of a tcp packet and the flags
> http://mike.passwall.com/networking/tcppacket.html )

- Even then the tcp port 22 rule allows packets with flags:0x16/0x02,
  and the only tcp killing rule only drops packest with flags:0x16/0x02.
  So if ssh ever sent packets like that they would be indications in the
  accepted counters... which there are none.

- *IF* any packets fall off the end of this "RH-Lokkit-0-50-INPUT" chain,
  they will be accepted... because INPUT is set to ACCEPT by default.

ps:
  I personally don't like the style of those rules... if they want to
block everything that is not allowed the default rules should be REJECT
and there should be rules to only accept good traffic.