# iptables rule breaks ssh

## colsandurz

I'm trying to use setup this iptables set of rules

$IPTABLES -N REJECTLOG

$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "

$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset

$IPTABLES -A REJECTLOG -j REJECT

$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEP

$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEP

$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEP

$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 873 -j ACCEPT 

$IPTABLES -A INPUT -j REJECTLOG 

I have two problems.  The is that when I set the second command, iptables complains about "REJECT" being a bad arguement.  I have no idea why it doesn't like it, iptables expects a string there 

From the man page for iptables 

 *Quote:*   

>        --log-prefix prefix
> 
>               Prefix log messages with the specified prefix; up to 29  letters
> 
>               long, and useful for distinguishing messages in the logs.

 

Also I get the same complaint from " or '.

The second problem I'm having is that the last command kills ssh despite me trying to keep port 22 open.  Is this just because of the previous error?

Also, I have a general iptables question:  Can I put these rules in a file and if so, in what file?

Thanks for any help.

----------

## Sadako

 *colsandurz wrote:*   

> $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "

 You haven't stated what $LOG is defined as, but I believe --log-prefix may only be used with "-j LOG"

 *colsandurz wrote:*   

> The second problem I'm having is that the last command kills ssh despite me trying to keep port 22 open.

 You're accepting any NEW packets to port 22, however all but the first packets of a connection will be ESTABLISHED, and as you haven't specifically ACCEPTed established packets, they are traversing the REJECTLOG chain when you add the last rule, where all packets are REJECTed.

Easiest fix, replace "--state NEW -p tcp --dport 22 -j ACCEPT" with "--state NEW,ESTABLISHED -p tcp --dport 22 -j ACCEPT", or add a general rule to acept all ESTABLISHED packets, as you'll need it for your http, https and rsync services as well.

 *colsandurz wrote:*   

> Also, I have a general iptables question:  Can I put these rules in a file and if so, in what file?

 The simplist method is to get all the iptables rules you want loaded and working, then run `/etc/init.d/iptables save`, so they'll be saved to the default file (defined in /etc/conf.d/iptables) and adding /etc/init.d/iptables to your boot or default runlevel will load the rules at boot.

Don't forget to edit /etc/conf.d/iptables to your needs.

Alternatively, you can create a simple shell script to load the rules for you (which you appear to be doing with $IPTABLES, $RLIMIT & co).

----------

## Hu

One advantage of using the initscripts is that they can load the rules atomically.  If any rule fails, the entire load fails.

You should probably add a rule -i lo -j ACCEPT so that loopback connections are allowed unconditionally.  Very few applications expect loopback to be blocked.

----------

## colsandurz

Yeah, I'm not really sure how to set $LOG and $RLIMIT

Here's what I've got know

IPTABLES=iptables

LOG="-m LOG --log-level 4 --log-prefix 'REJECT '"

RLIMIT="-m limit --limit 5/s --limit-burst 15"

and changed the rule to:

$IPTABLES -A REJECTLOG -j $LOG $RLIMIT 

This is the error I get 

Bad argument `LOG'

Do I have to do anything like restart the log daemon or edit /etc/syslog.conf?

----------

## Sadako

 *colsandurz wrote:*   

> Yeah, I'm not really sure how to set $LOG and $RLIMIT
> 
> Here's what I've got know
> 
> IPTABLES=iptables
> ...

 Try LOG="LOG -m LOG --log-level 4 --log-prefix 'REJECT '"

What you have there will evaluate to "-j -m LOG", whereas you actually need "-j LOG", LOG is the target.

----------

