2

I'm setting up a new Centos 5.6 system and can't get my iptables firewall to work correctly. it won't let me use SSH through it. I'm new to Centos but not to Linux or iptables.

I've been removing things until I have isolated the problem. I set up the firewall with a default ACCEPT rule for the INPUT chain. I can connect through to the server fine. If I change the command to only allow traffic from the interface connecting to my trusted network it stops working.

Working:

iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT

Failing:

iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT

I've double checked the ip address I'm using corresponds to eth0 using ifconfig.

Any ideas where I went wrong?

Khaled
  • 36,533
  • 8
  • 72
  • 99
Jay
  • 121
  • 4
  • 1
    are the iptables rejects getting logged (eg to /var/log/messages)? You might need `kern.* /var/log/messages` in `/etc/rsyslog.conf` as well as `-j LOG --log-prefix "iptables denied: " --log-level 7` or something like that. –  Nov 03 '12 at 20:54
  • hmmm... I edited rsyslog.conf and enabled logging of kern messages to the messages file. Now it works. I have no idea what happened. Sigh. Thanks for the help! I notice it connects much faster now so something changed. I'll vote you up one anyway though. – Jay Nov 03 '12 at 22:04
  • I just figured it out. I have a USB to ethernet box from Trendnet (TU2-ET100). If I plug this device in the connectivity to the box fails. If I unplug it with no other changes then it works – Jay Nov 03 '12 at 22:23
  • I've downloaded and booted a live cd of Linux Mint. It does exactly the same thing with the same hardware. – Jay Nov 06 '12 at 04:39
  • watch what happens in /var/log/syslog when you plug it in... –  Nov 06 '12 at 05:10
  • No activity in mint's /var/log/kern.log after recognizing the boot devices. Under mint I get a notification in the GUI that it's been plugged in and unplugged. – Jay Nov 06 '12 at 12:15
  • Try killing the GUI completely and any automatic network management software, the see what happens on the commend line when you plug in. Perhaps post `ifconfig` before and after on gist? –  Nov 06 '12 at 15:19

1 Answers1

0

The routing for the interfaces was created automatically. The iptables rule I put in place caused all outgoing packets to be dropped because they were routed to a different interface than I expected.

Jay
  • 121
  • 4