On 28/08/08 22:13:38, Dan Hatton wrote:
On Thu, 28 Aug 2008, Barry Samuels wrote:
Knockd runs a script which adds or deletes an IPTables rule to allow SSH access. The knockd script part works insamuch as it adds the required rule.
The problem is that the firewall on my computer still blocks SSH access. This is so that I can access my computer when away from home and that's the only time I can test or try it consequently it's all rather long winded. SSH access is by key only and login is prohibited.
This is my last effort:
iptables -A INPUT -p tcp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPtables has a list of rules to use in deciding what to do with packets. When a packet arrives, it goes through the rules in the order they were added. As soon as it finds a rule that tells it what to do with the packet in question, it does that thing, and ignores the remainder of the list of rules. So, it could be that some rule that was added earlier is telling it to drop or reject the ssh packets, and it never gets to these last two rules that were added.
Thanks Dan.
I do know that BUT it's something I keep forgetting and I think that it may apply in this case. I've changed the -A to -I and put those two rules as numbers 1 & 2. Using one of these port probes available on the Internet I checked before and after and it does seem that the port is being opened.
I won't know the results for sure until I go away again. Here's hoping.
You can obtain the full list of rules that apply at any given time with
iptables -L
That how I checked in the first place. :-))