Linux – iptables Ubuntu VPS SSH rule

iptableslinuxsshssl

I'm trying to configure a VPS Ubuntu server to connect to codebase GIT server,
just like heroku codebase authentication is based on SSH RSA keys.

I've uploaded the keys to the repository, and when I tested the codebase keys with the test command: 

ssh git@codebasehq.com

it does not respond and connection time out. I tried to watch the requests with:

"ssh git@codebasehq.com -v"
But it stops at: debug1: Connecting to codebasehq.com [188.65.183.234] port 22.

So I edited my iptables rules to this:

#cleaning rules
iptables -F
iptables -t nat -F

#Standard behaviour
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

#DNS
#iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

#GIT
#iptables -A OUTPUT -p tcp --dport 9418 -j ACCEPT
iptables -A INPUT -p tcp --sport 9418 -j ACCEPT

#SSL
iptables -I INPUT -p tcp --dport 443 -j ACCEPT

Best Answer

for TCP you have to consider the state, this should help... :-)

#cleaning rules
iptables -F
iptables -t nat -F

#Standard behaviour
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# accept established connections
iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# loopback interface
iptables -A INPUT -p ALL -i lo -j ACCEPT

#SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

#DNS
#iptables -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

#GIT
#iptables -A OUTPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --sport 9418 -m state --state NEW -j ACCEPT

#SSL
iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
Related Topic