SSH was working now it doesn't

jgtg32a · 12-09-2007, 03:22 PM

This was working for a while but now it doesn't. The only thing I can think of is that I started the SSH log on but never finished it a lot. I would hit ctrl^c when it asked for my password.

It keeps on saying connection refused

Code:

#!/bin/sh
WAN="eth1" #To internet DHCP assigned by ISP
LAN_IP="192.168.8.1"
LAN_IP_RANGE="192.168.8.103"
LAN="eth0" #to my "server" static IP of 192...103

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

echo "1" > /proc/sys/net/ipv4/ip_forward #proc conf

#default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -p ALL -i $LAN -s $LAN_IP_RANGE -j ACCEPT #anything from the LAN is accepted
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT #local loopback is trusted
$IPTABLES -A INPUT -p ALL -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT #if already allowed keep it coming


$IPTABLES -A FORWARD -i $LAN -o $WAN -j ACCEPT #anything from lan is accepted
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #current connections are go
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $WAN -j ACCEPT

$IPTABLES -t nat -A PREROUTING -p TCP -i $WAN -d moving on --dport 22 -j DNAT --to-destination 192.168.8.103
$IPTABLES -t nat -A POSTROUTING -o $WAN -j SNAT --to-source moving on

dkm999 · 12-09-2007, 04:01 PM

Let us know a little more about exactly how this lash-up is constructed:

1. Is the iptables script that you posted on the machine you are trying to contact via ssh, or on the machine you are using to give the command, or somewhere in between?

2. On the machine that you are trying to contact, and getting "Connection refused", what does the logfile say (probably /var/log/messages, or /var/log/security)?

3. Are you by any chance trying to log onto the remote machine as root? Many systems come pre-configured to disallow remote logons directly as root; the approved way to do this is log on as an actual user, and then su to gain root privileges for the session.

jgtg32a · 12-09-2007, 04:16 PM

1.Yea a network layout might be useful to have

Wall<-> Firewall(where the script is)<-> Server where the ssh server is
I have 2 physical machines

2. No messages in the messages, and I don't seem to have a security file.

3. Root is allowed in the configuration file but it won't work for any user.

dkm999 · 12-09-2007, 04:46 PM

Thank for the info. One more dumb query: is the sshd daemon running on the server? If not, this could lead to "Connection refused" and no logging.

jgtg32a · 12-09-2007, 04:56 PM

No dumb questions

Yeah the server is up and running, I've ran scans of my computer from shield up (https://www.grc.com/x/ne.dll?rh1dkyd2) It lists port 22 open and port 80 as closed.

----------------

Now that I think about it.

Ok I got SSH back kinda The problem was I was trying to ssh to my server from my server, I put in the public IP that my ISP gave me, it worked last night but it won't work anymore.
I just now tried to ssh into my schools server then ssh into my server and found that it works, which is great but I'm doing this for a project and it would be best if I could do it from my server because I can't count on having net access.

---------------

Thank you so much for you help The problem is somewhere in my tables, if you see anything wrong in them let me know otherwise I'll just make a copy of my logs showing a successful log in to the SSH.

Don't worry too much about it though.

Thank you again for you help.