IPTables is running on my web server. I really need SSH dynamic port forwarding, but my IPTables DROP any INPUT/OUPUT connection, only allow some ports.
For FORWARD chain, I wrote these rules:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 state NEW
ACCEPT all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 100
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
My rules can block any SSH dynamic port forwarding connection.
What rules I need to write?
Don't tell me to "Disable IPTables", I need firewall to anti-cracker.
Best Answer
I guess webserver's INPUT chain already allows ssh, forgive me for asking the obvious.
Now, for the dynamic (-D) tunneling, you need to also enable OUTPUT from webserver (any local port there) to desired remote host(s) and their port(s). By remote I mean those that you want to actually connect to via your dynamic tunnel.
So if you plan to use your tunnel to connect to host 1.2.3.4 on port 443, then you need to ALLOW on webserver OUTPUT from any port to 1.2.3.4:443.
FORWARD chain is completely irrelevant here.