Iptables unable to allow ssh through second interface

user2539988 asked:

I am having an issue where as I am unable to get SSH outgoing connections to be preformed with my current firewall rules from my second interface (eth2).

The machine I am trying to connect from has two interfaces named eth1 and eth2. Their IP address are 192.168.0.18 (mask 255.255.255.0) and 10.30.25.1 (mask 255.255.255.248) respectively.

This is the output of my iptables rules set :

# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source          destination
  26  4970 ACCEPT     all  --  lo     *       0.0.0.0/0       0.0.0.0/0
 245 18008 ACCEPT     tcp  --  eth1   *       0.0.0.0/0       0.0.0.0/0     state RELATED,ESTABLISHED
   0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0       0.0.0.0/0     udp spt:53 dpts:1024:65535
   0     0 ACCEPT     tcp  --  eth1   *       192.168.0.0/24  0.0.0.0/0     tcp spts:1024:65535 dpt:22 state NEW
  82 12248 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source          destination
  0     0 ACCEPT     all  --  eth2   eth1    0.0.0.0/0       0.0.0.0/0     state RELATED,ESTABLISHED
  0     0 ACCEPT     all  --  eth1   eth2    0.0.0.0/0       0.0.0.0/0     state NEW,RELATED,ESTABLISHED
  0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source          destination
 26  4970 ACCEPT     all  --  *      lo      0.0.0.0/0       0.0.0.0/0
173 20104 ACCEPT     all  --  *      eth1    0.0.0.0/0       0.0.0.0/0     state RELATED,ESTABLISHED
  5   300 ACCEPT     all  --  *      eth2    0.0.0.0/0       0.0.0.0/0     state RELATED,ESTABLISHED
  0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0       0.0.0.0/0     udp spts:1024:65535 dpt:53
  0     0 ACCEPT     tcp  --  *      eth1    0.0.0.0/0       0.0.0.0/0     tcp dpt:22
  1    60 ACCEPT     tcp  --  *      eth2    0.0.0.0/0       0.0.0.0/0     tcp dpt:22
  7   564 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0

With this rule set I am able to connect from 192.168.0.18 (eth1) SSH to any machine on the 192.168.0.0/24 subnet with no problem whatsoever. However when I try to connect to a server through the other interface (eth2 10.30.25.1) to a machine on 10.30.25.0/29, it cannot make a connection.

I then tried to flush the rules and do something like this :

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptalbes -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save

Allow everything, it works no problem meaning that the target machine is up and accepting connections and that my route tables should have no issue.

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.30.25.0      0.0.0.0         255.255.255.248 U     0      0        0 eth2
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth2
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

Yet I obviously don’t want to do this. Basically there is a problem in my rule set but I cannot figure it out. I though that having an ACCEPT in the OUTPUT policy for SSH (22) would do the trick but that failed.

I am running CentOS 6.5 x86_64 on VMWARE.

My answer:


Here is the problematic rule:

 245 18008 ACCEPT     tcp  --  eth1   *       0.0.0.0/0       0.0.0.0/0     state RELATED,ESTABLISHED

You are only allowing return input traffic on the eth1 interface. Remove this restriction and you will find that your outgoing traffic on eth2 starts working.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.