Открытие ssh доступа к виртуальной машине с использованием iptables

Question

Я написал правила итераций follwing. но есть одна проблема. Я не могу ssh к моей машине vmware. как я могу справиться с этим?

#!/bin/bash 

ip=`hostname -I| awk '{print $1}'` 
LOOP=127.0.0.1 
if=eth0 

# Clear any previous rules. 
iptables -F 

# Default drop policy. 
iptables -P OUTPUT DROP 
iptables -P INPUT DROP 
iptables -P FORWARD DROP 

# Prevent external packets from using loopback addr 
iptables -A INPUT -i $if -s $LOOP -j DROP 
iptables -A FORWARD -i $if -s $LOOP -j DROP 
iptables -A INPUT -i $if -d $LOOP -j DROP 
iptables -A FORWARD -i $if -d $LOOP -j DROP 

# Drop any tcp packet that does not start a connection with a syn flag. 
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Dropping any tcp packet that doesn't start a connection with a syn flag!" 

# Drop any invalid packet that could not be identified. 
iptables -A INPUT -m state --state INVALID -j DROP 

# Drop invalid packets. 
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP 
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 

#Allow working on localhost 
iptables -A INPUT -i lo -s $LOOP -d $LOOP -j ACCEPT 
iptables -A OUTPUT -o lo -s $LOOP -d $LOOP -j ACCEPT 

#Allow ping from inside to outside 
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT 
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 

#Openning outgoing trafic 
iptables -A OUTPUT -o $if -s $ip -j ACCEPT 
iptables -A INPUT -i $if -m state --state ESTABLISHED,RELATED -j ACCEPT 


iptables -A INPUT -i $if -s x.x.x.x -j ACCEPT #The ip of my local virtual machine 
iptables -A OUTPUT -o $if -m state --state ESTABLISHED,RELATED -j DROP 

и результат:

$ sudo iptables -L -nv 
Chain INPUT (policy DROP 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 DROP  all -- eth0 *  127.0.0.1   0.0.0.0/0   
    0  0 DROP  all -- eth0 *  0.0.0.0/0   127.0.0.1   
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:!0x17/0x02 state NEW /* Dropping any tcp packet that doesn't start a connection with a syn flag! */ 
    0  0 DROP  all -- *  *  0.0.0.0/0   0.0.0.0/0   state INVALID 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x3F/0x00 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x03/0x03 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x06/0x06 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x05/0x05 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x11/0x01 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x30/0x20 
    14 3687 ACCEPT  all -- lo  *  127.0.0.1   127.0.0.1   
    0  0 ACCEPT  icmp -- *  *  0.0.0.0/0   0.0.0.0/0   icmptype 0 
    808 280K ACCEPT  all -- eth0 *  0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED 
    0  0 ACCEPT  all -- eth0 *  x.x.x.x  0.0.0.0/0   

Chain FORWARD (policy DROP 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 DROP  all -- eth0 *  127.0.0.1   0.0.0.0/0   
    0  0 DROP  all -- eth0 *  0.0.0.0/0   127.0.0.1   

Chain OUTPUT (policy DROP 7 packets, 420 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    14 3687 ACCEPT  all -- *  lo  127.0.0.1   127.0.0.1   
    0  0 ACCEPT  icmp -- *  *  0.0.0.0/0   0.0.0.0/0   icmptype 8 
1087 167K ACCEPT  all -- *  eth0 y.y.y.y   0.0.0.0/0   
    0  0 DROP  all -- *  eth0 0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED 

обновления

Chain INPUT (policy DROP 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 DROP  all -- eth0 *  127.0.0.1   0.0.0.0/0   
    0  0 DROP  all -- eth0 *  0.0.0.0/0   127.0.0.1   
    0  0 DROP  all -- *  *  0.0.0.0/0   0.0.0.0/0   state INVALID 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x3F/0x00 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x03/0x03 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x06/0x06 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x05/0x05 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x11/0x01 
    0  0 DROP  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp flags:0x30/0x20 
    9 3427 ACCEPT  all -- lo  *  127.0.0.1   127.0.0.1   
    0  0 ACCEPT  icmp -- *  *  0.0.0.0/0   0.0.0.0/0   icmptype 0 
    751 418K ACCEPT  all -- eth0 *  0.0.0.0/0   0.0.0.0/0   state RELATED,ESTABLISHED 
    0  0 ACCEPT  all -- eth0 *  x.x.x.x  0.0.0.0/0   
    0  0 ACCEPT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   tcp dpt:22 

Chain FORWARD (policy DROP 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    0  0 DROP  all -- eth0 *  127.0.0.1   0.0.0.0/0   
    0  0 DROP  all -- eth0 *  0.0.0.0/0   127.0.0.1   

Chain OUTPUT (policy DROP 7 packets, 420 bytes) 
pkts bytes target  prot opt in  out  source    destination   
    9 3427 ACCEPT  all -- *  lo  127.0.0.1   127.0.0.1   
    0  0 ACCEPT  icmp -- *  *  0.0.0.0/0   0.0.0.0/0   icmptype 8 
    795 152K ACCEPT  all -- *  eth0 y.y.y.y   0.0.0.0/0 

Answer 1

Открытых входящих соединений на порт 22

iptables -A INPUT -p tcp --dport 22 -j ACCEPT 

Признанное, СВЯЗАННОЕ правило (которые у вас уже есть) должен разобраться в остальном.

Answer 2

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT