Configuring iptables: blocked out on SSH

Aquillo asked:

I am trying to configure a testserver based on CentOS 6.4.
I have changed the default SSH port to another port, 56988. Now I am trying to create a set of rules in order to:

  • Allow connections on 56988 with a maximum (to prevent bruteforce)
  • Accept incoming and outgoing connections on 80 and 443, limited to prevent DOS attacks
  • Block everything else

In order to accomplish this, I have written a small bash script:

#!
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -p tcp --dport 56988 -m state --state NEW -m recent --set --name ssh -rsource
iptables -A INPUT -p tcp --dport 56988 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name ssh -j DROP
iptables -A OUTPUT -p tcp --sport 56988 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dports 80,443 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

/etc/init.d/iptables save

Though after running this, I am being blocked out through SSH. What am I doing wrong with this configuration? Thanks in advance!

My answer:


The obvious problem is that you opened port 22, but put ssh listening on port 56988. This is what you need to change.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.