l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Mar 10 18:44

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] SSH On Home Network
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] SSH On Home Network

On Mon, Mar 10, 2003 at 04:00:04PM -0800, ME wrote:
> Looking at the output from the iptables, I dont see a rule permitting
> packets with a syn flag set to port 22 for ssh.

Perhaps I've read it wrong... but

- The only TCP reject rule that has killed *any* packets got 6 packets.

- The machine is set to reply by icmp-port-unreachable and he is getting
  a no-route-to-host.

- There are no rules that appear to block ICMP traffic and her can't

  So he has got to be testing the wrong IP... or have something
else preventing his tests from reaching the eth device.


# Chain RH-Lokkit-0-50-INPUT (1 references)
#  pkts bytes target     prot opt in     out     source 
#     0     0 ACCEPT     tcp  --  *      *
#          tcp dpt:22 flags:0x16/0x02 

#     6   360 REJECT     tcp  --  *      *
#          tcp dpts:0:1023 flags:0x16/0x02 reject-with
#     icmp-port-unreachable 

> (Background: this is take from examination of the "flags" section, and
> having an understanding of a tcp packet and the flags
> http://mike.passwall.com/networking/tcppacket.html )

- Even then the tcp port 22 rule allows packets with flags:0x16/0x02,
  and the only tcp killing rule only drops packest with flags:0x16/0x02.
  So if ssh ever sent packets like that they would be indications in the
  accepted counters... which there are none.

- *IF* any packets fall off the end of this "RH-Lokkit-0-50-INPUT" chain,
  they will be accepted... because INPUT is set to ACCEPT by default.

  I personally don't like the style of those rules... if they want to
block everything that is not allowed the default rules should be REJECT
and there should be rules to only accept good traffic.

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.