Greetings! I've recently acquired myself my first Linux-kernel. I'm now using Debian 2.2.20.

I've been configuring it for the last week, but configuring the firewall is extremely difficult for me. My problem is getting remotely to my system from the university using an ssh client. I'm using ipchains to configure my firewall.

I've already succeeded in configuring the firewall to allow access from my subnet machines using an ssh client, but I'm just not able to connect from the university unix-server. What ipchains commands (or other commands) should I implement to make this work?

I've tried to add a rule to the input and output chain to accept both incoming and outgoing packages, but it is not enough. What else must I do? Could someone more experienced give me a hand with this?

Thanks for the help!

ok first check if sshd is listening on the ip address you connecting to.
type "netstat -natp"
you should see port 22 bound to the internet ip address your trying to access.

if ssh is not bound to the ip address your connecting to, check out my other note:
http://www.linuxquestions.org/questi...threadid=11696

if it's there then you'll need to allow incoming and outgoing tcp packets back to the source from your firewall.

to allow anyone access to the ssh service in ipchains you add these lines to your firewall rules.

(as root)
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d your_ipchains_ip_address --dport 22 -j ACCEPT

ipchains -A output -p tcp -s your_ipchains_ip_address --sport 22 -d 0/0 -j ACCEPT

(you would normally not use -s 0/0 but the ip address of the universities router, this would make it more secure)

/Raz

Thank you a bundle for the answer. I added the line
ListenAddress 193.167.232.254 (The IP is the Univ. unix-servers IP)

to my sshd_config file.

I'm not sure how to restart the sshd though. I was told that I actually should restart ssh (because I can't find any swithes related to restarting sshd spesifically), so I did it using the commands

./ssh stop
and ./ssh restart

These seemed to restart the Secure Shell Server. But alas... the netstat still doesn't show that my machine is listening to the ip-address entered above. It's only showing up my open connection to irssi (irc-client, state ESTABLISHED) and something related to exim (local address 0.0.0.0, localhost? State is LISTENING)

I also entered the ipchains commands you gave me. Naturally the problem still desists, but I'm pretty sure that is because of the problem mentioned before.

Did I restart the sshd properly? Thanks for the patience

Yes I see the problem.
the ip address you typing in the sshd_config file is to tell it on which ip address of "your" home Linux system you want shhd to open a socket on.

So use your Linux boxes internet address not the Uni's and restart it.

or comment out the line and don't tell it an address, then it will default to 0.0.0.0 i.e all devices on the system.

type this to see if ssh has started and is running.
ps -ef | grep sshd

/Raz

Thanks for the assistance! Although the problem was actually with my ISP. For some reason they have blocked the default port 22. So I tried setting the sshd to listen to port 60022 and it worked. I also had to add "sshd: the_unix_ip" to hosts.allow

Now it works and for some reason I don't even have to use the ipchains you provided. Very strange...

Still, thanks very much for helping!!

I hate it when ISP's do that.
They don't understand networks and drop all packets to ports below 1024, only accepting http and https i guess.

To see why my rule wasn't needed type:
ipchains -L -n | grep policy

If it says accept on the input or output chain then your not secure and its allowing anything.

or if you didn't flush the firewall since the last time you entered it, its still there and doesn't need to be added again.

/Raz

Well all the chain policies are at DENY. And I'm not even sure how to flush the firewall. Unless we're talking about the --flush swith which deletes all the rules (and I may be a newbie, but that would be just plain stupid )

But... after I checked, I don't see the ipchains tules anymore in the list. But now it is accepting connections from an other unix-server with a different IP (same university though). So I guess I've gone backwards... but at least it is allowing me to connect from the university. I'm still going to have to test this from IP:s not inside the university net.

Well the reason why it allowed to connect from the other IP was in hosts.deny. I just put up the ALL: ALL and now everything works smoothly.

Thanks once more for the help.