Cosmin Nicolaescu on 20 Apr 2005 17:06:00 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, April 20, 2005 12:38 pm, Jeff Abrahamson said:
> On Wed, Apr 20, 2005 at 11:01:49AM -0400, Cosmin Nicolaescu wrote:
>> > 2. My ssh session's X forwarding is blocked.  Oops.
>> > [...]
>>
>> About 2., what do you mean 'blocked' ? Is it blocked by a firewall, or do
>> you just not have X11Forwarding enabled (ssh -X or if you have
>> openssh>3.8
>> you might want to use -Y to make sure Eterm or such don't just crash with
>> 'Bad Atom' on you.
>
>     my-ws $ ssh -f iptable-host xterm
>
> Then, on iptable-host in that xterm,
>
>     iptable-host $ ./iptables
>
> and that window doesn't respond for 20 seconds until my failsafe rule
flush kicks in.
>
>     In the iptables script:
>
>       (sleep 20; iptables -F) &
>
> --
>  Jeff
>
>  Jeff Abrahamson  <http://www.purple.com/jeff/>    +1 215/837-2287 GPG
fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B
> ___________________________________________________________________________
Philadelphia Linux Users Group         --
> http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
>

The easiest way I see in solving this problem is to add the following rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will accept all connections that are related to previously-open
connections. Since you open an ssh connection which is allowed, everything
that you'll open related to that connection will be allowed.

Are you filtering on OUTPUT as well? Do you have icmp filtering?

- -Cos

- --
Cosmin Nicolaescu
Systems Administrator
Drexel University
Computer Science Department
University Crossings Rm. 135
(267)-918-8505

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCZovTzJ8rDInR5JcRAjYgAKCS8crctk3C/HPVg05VDd4B3LFNTACeOYkf
vi01SjhlpcFCmyV6uKjhTGk=
=PJLK
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug