Ssh – allow ssh outgoing with iptables default policy as drop

iptablessshvps

Good day all

My VPS allows incoming ssh connections as required (see rule),

however attempting outgoing ssh connections fails to connect with

$ ssh xyz.ddns.net
ssh: connect to host xyz.ddns.net port 22: Connection timed out

I have found setting the default policy to accept allows outgoing ssh connections

Chain INPUT (policy DROP)

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* SSH-SECURE IN (iface:ALL) */ state NEW,RELATED,ESTABLISHED

NEW – The connection has not yet been seen.

RELATED – The connection is new, but is related to another connection already > permitted.

should allow these outgoing connections?

Best Answer

No. This rule allows INCOMING packets which have destination port 22.

When you establish outgoing connection to remote port 22, your local port is selected randomly. You should have rule

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

otherwise remote server's answers can not reach your server.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – iptables port forward forwarding

Related Topic