From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-147839-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E02B71381F3
	for <garchives@archives.gentoo.org>; Tue, 21 May 2013 16:15:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 76265E08F9;
	Tue, 21 May 2013 16:15:00 +0000 (UTC)
Received: from mail-bk0-f42.google.com (mail-bk0-f42.google.com [209.85.214.42])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 25DEAE08E6
	for <gentoo-user@lists.gentoo.org>; Tue, 21 May 2013 16:14:58 +0000 (UTC)
Received: by mail-bk0-f42.google.com with SMTP id jk13so527171bkc.15
        for <gentoo-user@lists.gentoo.org>; Tue, 21 May 2013 09:14:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        bh=KjPvRxT/U2LCYvAT0ECvIzlD6qpM4RYeCcRBk5g4Hsw=;
        b=tiumIX92zqN5YJzw8dAOjpzP4s6nzQNdEcZ4+LWRg41G06OgKcclI9wNQ/V2IGvY9v
         HHrYkmvTGcLJWgBhRmeQgtdmJ0ZQapx8cGQf3KDvyKnAkEgIXngIEPmcuwIDdVbwg2i3
         C7W0MnLsQvOHDR/WjZXkeTBOITytMwE3XbI+93j1/1kCdhnxD2zPScFGxkhpbQMG1jCF
         modwiHsrFPXhwZ4nfZg8TkZU+xWZVye6fjwnIhiu7Uwg7Hsl+U6rIluAdnlvM6yHqzj4
         x4LbqcQEr17adRL6ULv9jBD3a41emUAwq3UNltbbihuyRtoV+ZH1lqJWnt/07w5+JSjR
         Avxw==
X-Received: by 10.204.171.136 with SMTP id h8mr1756198bkz.18.1369152897621;
        Tue, 21 May 2013 09:14:57 -0700 (PDT)
Received: from [172.20.0.41] (196-210-102-103.dynamic.isadsl.co.za. [196.210.102.103])
        by mx.google.com with ESMTPSA id tl1sm955658bkb.7.2013.05.21.09.14.55
        for <gentoo-user@lists.gentoo.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 21 May 2013 09:14:56 -0700 (PDT)
Message-ID: <519B9D5E.7050305@gmail.com>
Date: Tue, 21 May 2013 18:14:22 +0200
From: Alan McKinnon <alan.mckinnon@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Thunderbird/17.0.6
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: IPTables - Going Stateless
References: <CAGWRaZbwp8jDPxDzHX6g_LkpK74iB6K4GSoU7c_5THDSx1oDmQ@mail.gmail.com> <201305211133.03830.neal.p.murphy@alum.wpi.edu> <CAGWRaZazr2gXcrDFcOaVBCq_Tia7rZOg_DprsTvL-ec5T8dduQ@mail.gmail.com>
In-Reply-To: <CAGWRaZazr2gXcrDFcOaVBCq_Tia7rZOg_DprsTvL-ec5T8dduQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: ea471f25-2cf1-494d-a752-eb539c8b6683
X-Archives-Hash: f290505430590212b7525fd16244d887

On 21/05/2013 18:01, Nick Khamis wrote:
> For testing purposes I changed the ssh rule to:
> 
> -A TCP -p tcp -m tcp --dport 22 -j ACCEPT
> -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
> 
> And still no go. As mentioned before, everything works fine until I
> try to close up the rest of the ports not opened up in the chains
> "UDP" and "TCP" stated above:
> 
> #echo -e "       - Dropping input TCP and UDP traffic to closed ports"
> -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable
> 
> #echo -e "       - Dropping output TCP and UDP traffic to closed ports"
> -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable
> 
> #echo -e "       - Dropping input traffic to remaining protocols sent
> to closed ports"
> -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> #echo -e "       - Dropping output traffic to remaining protocols sent
> to closed ports"
> -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> That is when I cannot SSH over to the server.


Now you are feeling the pain.

Drive to where the router is and fix it on the console then put
conntrack back.



-- 
Alan McKinnon
alan.mckinnon@gmail.com