Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a situation:
I had a box with two NICs installed acting as a router between two networks: 192.168.1.0 and 192.168.2.0. I had everthing working ok between the two networks. I could ssh from one network to the other without a problem. Now, I added another NIC, now a tri-homed firewall. Now, I can't ssh from one network to the other and vice versa. I can't even ssh from the firewall out. This is part of the iptables script:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to DROP
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -t nat --policy PREROUTING DROP
iptables -t nat --policy OUTPUT DROP
iptables -t nat --policy POSTROUTING DROP
#iptables -t mangle --policy PREROUTING DROP
#iptables -t mangle --policy OUTPUT DROP
# Delete any pre-existing user defined chains
iptables --delete-chain
#iptables -t nat --delete-chain
#iptables -t mangle --delete-chain
# Allow access to Internet
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH connection from this station
iptables -A OUTPUT -o $LAN_IFACE -p tcp \
-s $LAN_IP --sport $UNPRIVPORTS \
-d $LAN_ADDRESSES --dport 22 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Forward from and to the LAN
iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \
-m state --state NEW -j ACCEPT
######################
iptables -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp \
--sport $UNPRIVPORTS -d $DMZ_ADDRESSES --dport 22 \
-m state --state NEW -j ACCEPT
#########################
# Accept SSH connection from the LAN
iptables -A INPUT -i $LAN_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \
-m state --state NEW -j ACCEPT
What does your routing table look like? Can you not SSH from the firewall to any of the 3 connected networks, or is it only 1 or 2 that you can't connect to?
What does your routing table look like? Can you not SSH from the firewall to any of the 3 connected networks, or is it only 1 or 2 that you can't connect to?
This is what my routing table looks like:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
I can't ssh to 192.168.2.0 nor 192.168.3.0 but, can connect from those networks to the firewall. Also, I can't ssh from 192.168.2.0 to 192.168.3.0 and vice versa either. Like if it is not forwarding the packets from network to network. I can connect to the internet from all the networks though.
Last edited by landysaccount; 10-07-2008 at 12:02 PM.
I assume you have ip forwarding enabled, correct? (/proc/sys/net/ipv4/ip_forward) That would relate to the issue between 192.168.2.0 and 192.168.3.0. Also, I'm not seeing where $UNPRIVPORTS is being set... so that might cause some issues with your iptables rules. Are any errors occuring when you execute them? Is the connection timing out, being refused, or getting some other error? Might be helpful to add a "iptables -A INPUT -j LOG" and "iptables -A FORWARD -j LOG" to see what packets may be getting dropped. (I also have never seen the nat table policies set to drop -- have you always had it this way?)
Nothing's jumping out at me yet, so I'm hoping these questions will shed some light.
I assume you have ip forwarding enabled, correct? (/proc/sys/net/ipv4/ip_forward) That would relate to the issue between 192.168.2.0 and 192.168.3.0. Also, I'm not seeing where $UNPRIVPORTS is being set... so that might cause some issues with your iptables rules. Are any errors occuring when you execute them? Is the connection timing out, being refused, or getting some other error? Might be helpful to add a "iptables -A INPUT -j LOG" and "iptables -A FORWARD -j LOG" to see what packets may be getting dropped. (I also have never seen the nat table policies set to drop -- have you always had it this way?)
Nothing's jumping out at me yet, so I'm hoping these questions will shed some light.
I do have ip forwarding enabled and UNPRIVPORTS="1024:65535" set at the beginning of the script, I didn't want to post the entire script because is too long.
I also commented out the nat table line and still the same problem.
When I ssh from a network the prompt just sits there waiting for an ACK from the remote box. I ran tcpdump and wireshark to read the packets and it looks like if the connection is sending the SYN but doesn't receive an ACK. I don't see anything wrong with the script I thought I had it working. I don't get any errors when I run the script either.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,803
Rep:
Quote:
Originally Posted by landysaccount
Hello.
I have a situation:
I had a box with two NICs installed acting as a router between two networks: 192.168.1.0 and 192.168.2.0. I had everthing working ok between the two networks. I could ssh from one network to the other without a problem. Now, I added another NIC, now a tri-homed firewall. Now, I can't ssh from one network to the other and vice versa. I can't even ssh from the firewall out.
If you remove the new NIC, does everything work as it did before you installed it?
I'm wondering if installing the new NIC caused it to actually be eth0 instead of eth2 because of the order that the PCI bus was scanned during the bootstrap. I've seen things like that happen when installing second and third SCSI adapters. Could be a similar problem in your setup.
If you remove the new NIC, does everything work as it did before you installed it?
I'm wondering if installing the new NIC caused it to actually be eth0 instead of eth2 because of the order that the PCI bus was scanned during the bootstrap. I've seen things like that happen when installing second and third SCSI adapters. Could be a similar problem in your setup.
--
Rick
I have the correct interfaces because:
Yes, DMZ and LAN can connect to internet.
No, DMZ, LAN and EXT can't ssh each other to the firewall.
Yes, the firewall can connect to LAN and DMZ
Everything else is blocked.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Help with a Tri-Homed firewall/router
