SSH only accepts connections from a specific IP address range

Jason.nix · 03-24-2024, 05:43 AM

Hello,
I installed Docker on a Debian and my iptables rules are:

Code:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-646660b25eeb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-646660b25eeb -j DOCKER
-A FORWARD -i br-646660b25eeb ! -o br-646660b25eeb -j ACCEPT
-A FORWARD -i br-646660b25eeb -o br-646660b25eeb -j ACCEPT
-A FORWARD -o br-81041652e829 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-81041652e829 -j DOCKER
-A FORWARD -i br-81041652e829 ! -o br-81041652e829 -j ACCEPT
-A FORWARD -i br-81041652e829 -o br-81041652e829 -j ACCEPT
-A FORWARD -o br-b13678883aac -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b13678883aac -j DOCKER
-A FORWARD -i br-b13678883aac ! -o br-b13678883aac -j ACCEPT
-A FORWARD -i br-b13678883aac -o br-b13678883aac -j ACCEPT
-A FORWARD -o br-1b1370bfafc6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1b1370bfafc6 -j DOCKER
-A FORWARD -i br-1b1370bfafc6 ! -o br-1b1370bfafc6 -j ACCEPT
-A FORWARD -i br-1b1370bfafc6 -o br-1b1370bfafc6 -j ACCEPT
-A FORWARD -o br-f14b192fe8d5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f14b192fe8d5 -j DOCKER
-A FORWARD -i br-f14b192fe8d5 ! -o br-f14b192fe8d5 -j ACCEPT
-A FORWARD -i br-f14b192fe8d5 -o br-f14b192fe8d5 -j ACCEPT
-A FORWARD -o br-e2386c174feb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e2386c174feb -j DOCKER
-A FORWARD -i br-e2386c174feb ! -o br-e2386c174feb -j ACCEPT
-A FORWARD -i br-e2386c174feb -o br-e2386c174feb -j ACCEPT
-A FORWARD -o br-934ab550fff1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-934ab550fff1 -j DOCKER
-A FORWARD -i br-934ab550fff1 ! -o br-934ab550fff1 -j ACCEPT
-A FORWARD -i br-934ab550fff1 -o br-934ab550fff1 -j ACCEPT
-A FORWARD -o br-5a13cc881d3a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5a13cc881d3a -j DOCKER
-A FORWARD -i br-5a13cc881d3a ! -o br-5a13cc881d3a -j ACCEPT
-A FORWARD -i br-5a13cc881d3a -o br-5a13cc881d3a -j ACCEPT
-A DOCKER -d 172.24.0.2/32 ! -i br-b13678883aac -o br-b13678883aac -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1b1370bfafc6 ! -o br-1b1370bfafc6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e2386c174feb ! -o br-e2386c174feb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b13678883aac ! -o br-b13678883aac -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-934ab550fff1 ! -o br-934ab550fff1 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-81041652e829 ! -o br-81041652e829 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-646660b25eeb ! -o br-646660b25eeb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5a13cc881d3a ! -o br-5a13cc881d3a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f14b192fe8d5 ! -o br-f14b192fe8d5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1b1370bfafc6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e2386c174feb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b13678883aac -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-934ab550fff1 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-81041652e829 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-646660b25eeb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5a13cc881d3a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f14b192fe8d5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

The SSH configuration file is as follows:

Code:

Port 22
ListenAddress 172.20.2.58
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server

My PC IP address is 172.21.50.67 and I can only connect to this server from the IP address range 172.20.2.X. Why?

Thank you.

business_kid · 03-24-2024, 06:22 AM

Your config is going out to home users mainly. There's people in unsavoury parts of the world routinely scanning for open ports and taking advantage of any they find. A sysadmin will know how to setup /etc/sshd.conf to let in who he wants, but that's a safe default - your own network. That prevents users getting in to your network through the router.

lvm_ · 03-24-2024, 06:34 AM

Can you ping it? What's your routing (netstat -r)?

Jason.nix · 03-24-2024, 10:05 AM

Quote:

Originally Posted by business_kid

Your config is going out to home users mainly. There's people in unsavoury parts of the world routinely scanning for open ports and taking advantage of any they find. A sysadmin will know how to setup /etc/sshd.conf to let in who he wants, but that's a safe default - your own network. That prevents users getting in to your network through the router.

Hello,
Thank you so much for your reply.
Yes, this is a private server.

Jason.nix · 03-24-2024, 10:07 AM

Quote:

Originally Posted by lvm_

Can you ping it? What's your routing (netstat -r)?

Hello,
Thank you so much for your reply.
Yes, I can ping that server. Do you mean netstat -r on that server?