Hello list, I cannot connect to our network from at home. I always get the error message: Connection refused at port 10022. The sshd doesn' t log anything in /var/log/messages and the firewall script is also empty. Without the active firewall I can login without any problems. We are running SuSE Linux 7.3 Has anyone an idea, what is wrong with our firewall script? Any hint is welcome. Million thanks for your help, Ralf Schoenian And here comes the script: #!/bin/bash ### Bestehende Regeln lAöschen (eingebaute Regeln, eigene u. die ### Counter zurAücksezten. iptables -F iptables -X iptables -Z # Default policy. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ### =========================================================== ### Variablen IFACE="ppp0" IFACE2="vmnet1" IFACE3="eth0" BROADCAST="192.168.1.255" LOOPBACK="127.0.0.0/8" CLASS_C="192.168.0.0/16" UP_PORTS="1024:65535" #UP_PORTS="1:65535" ### ============================================================ ### Kernel flags ### Auf Pings reagieren wir nicht. /bin/echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all ### Auf broadcasts wollen wir auch nicht reagieren. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ### Source routed packets werden nicht akzeptiert. Mit ihnen kAönnen Angreifer ### vorgeben, dass sie aus dem inneren des Netzwerkes kommen. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route ### ICMP redirects wollen wir nicht, da sie missbraucht werden kAönnen, um ### unsere Routen zu Aändern. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ### Enable bad error message protection. /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ### ============================================================ ### REGELN ### LOOPBACK ### Lokal erlauben wir wirklich alles. Einige Programme nutzen das lo device. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ### Lokale devices # iptables -A INPUT -i $IFACE2 -j ACCEPT iptables -A OUTPUT -o $IFACE2 -j ACCEPT iptables -A INPUT -i $IFACE3 -j ACCEPT iptables -A OUTPUT -o $IFACE3 -j ACCEPT ### SYN-FLOODING PROTECTION # iptables -N syn-flood iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP ### FRAGMENTS # iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i $IFACE -f -j DROP ### SPOOFING # ### Alle Pakete die aus dem Internet kommen u. vorgeben aus einem Class-C Netz zu stammen ### werden ignoriert iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP # Refuse broadcast address packets. iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP ## DNS # Allow UDP packets in for DNS client from nameservers. iptables -A INPUT -i $IFACE -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. iptables -A OUTPUT -o $IFACE -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT ### SSH inbound # iptables -A INPUT -i $IFACE -p tcp --dport 10022 --sport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 10022 --dport $UP_PORTS -j ACCEPT # iptables -A INPUT -i $IFACE -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 22 -j ACCEPT # ### SSH outbound # iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport 10022 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport $UP_PORTS --sport 10022 -j ACCEPT # iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport 22 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport $UP_PORTS --sport 22 -j ACCEPT ### HTTP # iptables -A INPUT -i $IFACE -p tcp --sport 80 --dport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 80 --sport $UP_PORTS -j ACCEPT # iptables -A INPUT -i $IFACE -p tcp --sport 3128 --dport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 3128 --sport $UP_PORTS -j ACCEPT ### HTTPS # iptables -A INPUT -i $IFACE -p tcp --sport 443 --dport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 443 --sport $UP_PORTS -j ACCEPT ### NTP # iptables -A INPUT -i $IFACE -p tcp --sport 123 --dport 123 -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 123 --sport 123 -j ACCEPT iptables -A INPUT -i $IFACE -p udp --sport 123 --dport 123 -j ACCEPT iptables -A OUTPUT -o $IFACE -p udp --dport 123 --sport 123 -j ACCEPT # iptables -A INPUT -i $IFACE -p tcp --sport 37 --dport 37 -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 37 --sport 37 -j ACCEPT iptables -A INPUT -i $IFACE -p udp --sport 37 --dport 37 -j ACCEPT iptables -A OUTPUT -o $IFACE -p udp --dport 37 --sport 37 -j ACCEPT ##FTP # Allow ftp outbound. iptables -A INPUT -i $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # SMTP iptables -A INPUT -i $IFACE -p tcp --sport 25 -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -j ACCEPT # POP iptables -A INPUT -i $IFACE -p tcp --sport 110 --dport $UP_PORTS -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport 110 -j ACCEPT # ICMP # We accept icmp in if it is "related" to other connections (e.g a time #exceeded (11) # from a traceroute) or it is part of an "established" connection (e.g. an #echo reply (0) # from an echo-request (8)). iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # We always allow icmp out. iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Logging # iptables -A INPUT -m limit --limit 1/s -j LOG --log-prefix "INPUT " iptables -A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "OUTPUT " iptables -A FORWARD -m limit --limit 1/s -j LOG --log-prefix "OUTPUT " echo "Firewall......done"