Hi,
I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it.
The cluster has a firewall server with a wifi card connecting to my home network and eth0 connection to a switch connecting the pi's within the cluster. All the other pi's just use the switch to talk to each on a network. They all use IP addresses in the range 10.10.1.2/5. The firewall pi uses 10.10.1.1 for eth0 and picks up a 192.168.1.122 address from my router on the wifi card.
I have this rule set that is currently preventing me from ssh'ing from the fwl to an internal pi on the cluster. I know that because if I clear the rules I can connect:
root@fwl:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
70 5472 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
59 8329 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 3304 ACCEPT tcp -- any any anywhere anywhere tcp spt:ssh ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
14 1032 DROP all -- any any anywhere anywhere
Here is the script I use to create the rules:
root@fwl:~# cat fwl.cfg
#!/bin/sh
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow ssh
iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Setting default filter policy
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
I'm no expert on firewalls but I've been reading a lot this morning about setting up ssh in iptables and think the idea is to allow what you want and then append a drop of everything else after those rules.
Most of the pages I've looked at suggest doing this at the start of the rules:
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
and then relaxing the rules for ssh and ping afterwards, but I couldn't get that to work either.
Like I said though, I can connect if I flush the rules out.
Can anyone suggest where I'm going wrong?
Thanks
Steady