[linux-help] Re: ipchains question

[Benjamin Bunck <bbunck@xxxxxxxxxxxxxxxxxxxxx>]

<snip>

> > > 
> > > Then why is it that I can ssh to, say, $SOMEONES_IP, but when I add the
> > > rule:
> > > 
> > > ipchains -A input -i eth0 -s $SOMEONES_IP -d 0.0.0.0/0 -j REJECT
> > > 
> > > to the beginning of my ipchains script, ssh to $SOMEONES_IP just hangs,
> > > and never connects?
> > > 
> > 
> > ssh is not the same as most connections.
> > with ssh it requires a 2-way connection (as I understand it) for
> > security so even though you originate the connection it also requires a
> > connection that originates from the other end in reply. In other words,
> > you initiate the connection, but the other end has to initiate a
> > parallel connection to verify your address is not spoofed. The
> > connection is then handed off to the reply link, thus the input rule.
> > 
> > Try ftp or telnet with your input rule in place and you should see the
> > difference.
> > 
> > For ssh you will require a rule on the input chain that will allow the
> > connection.
> > 
> >  ipchains -A input -i eth0 -s $SOMEONES_IP -d $YOUR.IP -j ALLOW
> > 
> 

If I begin my ipchains input ruleset with the rule:

ipchains -A input -i eth0 -s $SOMEONES_IP -d $MY_IP -j REJECT

it seems ftp and http access to $SOMEONES_IP are still blocked.  http and 
ftp will only work if I precede it with something like:

ipchains -A input -i eth0 -s $SOMEONES_IP -d $MY_IP -p tcp ! -y -j ACCEPT

which allows non-syn tcp packets.


Ben


<snip>

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi