Linux – Check if iptables rules are working

firewalliptableslinuxnetcat

I have three virtualboxs.

1) Virtual machine VM-A that works as a router with two interfaces:

eth0 – 10.160.10.254

eth1 – 172.10.0.254

2) Virtual machine VM-B that works as an internal network with one interface:

eth0 – 10.160.10.1 (and with gw to 10.160.10.254)

3) Virtual machine VM-C that works as an external network with one interface:

eth0 172.10.0.1 (and with gw to 172.10.0.254)

I want to allow ssh connections to the router(VM-1) when originated for a server in the internal network with iptables.

So in the router vbox Im using this two commands below:

iptables -A INPUT -s 10.160.10.4 -d 10.160.10.254 -p udp --dport 22 -j ACCEPT

iptables -A INPUT -s 10.160.10.4 -d 10.160.10.254 -p tcp--dport 22 -j ACCEPT

To test if this is working Im trying to use netcat.

In the internal network machine Im using nc -lu 22 command and in the external network machine Im using nc -u 193.160.10.4 22 command, but nothing is appearing.

Do you know what needs to appear and how to use netcat corretcly to test the iptables rules?

Best Answer

SSH uses TCP, not UDP. You use nc -u so you send UDP packets. Just try

nc -vz <ip> <port>

If you want to test your iptables rules that way, you should set the policy for the INPUT chain to DROP or REJECT. Take care that you allow tcp packets to port 22 from your source before. You can allow it from the IP of the specific machine, the whole subnet or the interface.

Example source ip:

iptables -A INPUT -s <source ip> -p tcp --dport 22 -j ACCEPT

Example source subnet (Accepts everything from 192.168.xxx.xxx):

iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT

Example source interface (accepts every packet comming through interface eth0):

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Set policy for INPUT to DROP (the default action if none of the rules applies):

iptables -P INPUT DROP

Best regards

EDIT: And of course what David said, but im presuming some typos in the question, otherwise there wont be any working connection.

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

This rule worked ion my installation:

iptables -I FORWARD 1 -d [client-ip] -p tcp -m tcp --dport 53 -j DROP
iptables -I FORWARD 1 -d [client-ip] -p udp -m udp --dport 53 -j DROP

Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.

I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.

Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?

Iptables – Configuring iptables on dd-wrt router

You haven't allowed for established connections of the type you are using in the connection already. This is why when you add the last line the connection is broken.

You'd want a line like this:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This says that the firewall should permit connections that have already been made and are working. (i.e. passed all the other rules in the firewall.)

With that said, you'll also need a rule to permit ssh coming in such as:

-A INPUT -s <source> -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT

This tells the firewall to allow ssh connections to be started.

Hope this helps.

P.S. I would have to check but the "-P" lines (last three) you should not be using since I think they flush the tables. But I'd have to recheck it.

Best Answer

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

Iptables – Configuring iptables on dd-wrt router

Related Topic