LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-14-2002, 06:00 PM   #1
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Rep: Reputation: 15
Question Allowing a specific host to connect using ipchains


Greetings! I've recently acquired myself my first Linux-kernel. I'm now using Debian 2.2.20.

I've been configuring it for the last week, but configuring the firewall is extremely difficult for me. My problem is getting remotely to my system from the university using an ssh client. I'm using ipchains to configure my firewall.

I've already succeeded in configuring the firewall to allow access from my subnet machines using an ssh client, but I'm just not able to connect from the university unix-server. What ipchains commands (or other commands) should I implement to make this work?

I've tried to add a rule to the input and output chain to accept both incoming and outgoing packages, but it is not enough. What else must I do? Could someone more experienced give me a hand with this?

Thanks for the help!
 
Old 01-15-2002, 10:59 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
ok first check if sshd is listening on the ip address you connecting to.
type "netstat -natp"
you should see port 22 bound to the internet ip address your trying to access.

if ssh is not bound to the ip address your connecting to, check out my other note:
http://www.linuxquestions.org/questi...threadid=11696

if it's there then you'll need to allow incoming and outgoing tcp packets back to the source from your firewall.

to allow anyone access to the ssh service in ipchains you add these lines to your firewall rules.

(as root)
ipchains -A input -p tcp -s 0/0 --sport 1023:65535 -d your_ipchains_ip_address --dport 22 -j ACCEPT

ipchains -A output -p tcp -s your_ipchains_ip_address --sport 22 -d 0/0 -j ACCEPT

(you would normally not use -s 0/0 but the ip address of the universities router, this would make it more secure)

/Raz
 
Old 01-15-2002, 01:15 PM   #3
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Strange dilemma

Thank you a bundle for the answer. I added the line
ListenAddress 193.167.232.254 (The IP is the Univ. unix-servers IP)

to my sshd_config file.

I'm not sure how to restart the sshd though. I was told that I actually should restart ssh (because I can't find any swithes related to restarting sshd spesifically), so I did it using the commands

./ssh stop
and ./ssh restart

These seemed to restart the Secure Shell Server. But alas... the netstat still doesn't show that my machine is listening to the ip-address entered above. It's only showing up my open connection to irssi (irc-client, state ESTABLISHED) and something related to exim (local address 0.0.0.0, localhost? State is LISTENING)

I also entered the ipchains commands you gave me. Naturally the problem still desists, but I'm pretty sure that is because of the problem mentioned before.

Did I restart the sshd properly? Thanks for the patience
 
Old 01-16-2002, 05:39 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Yes I see the problem.
the ip address you typing in the sshd_config file is to tell it on which ip address of "your" home Linux system you want shhd to open a socket on.

So use your Linux boxes internet address not the Uni's and restart it.

or comment out the line and don't tell it an address, then it will default to 0.0.0.0 i.e all devices on the system.

type this to see if ssh has started and is running.
ps -ef | grep sshd

/Raz
 
Old 01-16-2002, 08:56 AM   #5
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Success!

Thanks for the assistance! Although the problem was actually with my ISP. For some reason they have blocked the default port 22. So I tried setting the sshd to listen to port 60022 and it worked. I also had to add "sshd: the_unix_ip" to hosts.allow

Now it works and for some reason I don't even have to use the ipchains you provided. Very strange...

Still, thanks very much for helping!!
 
Old 01-16-2002, 09:22 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
I hate it when ISP's do that.
They don't understand networks and drop all packets to ports below 1024, only accepting http and https i guess.

To see why my rule wasn't needed type:
ipchains -L -n | grep policy

If it says accept on the input or output chain then your not secure and its allowing anything.

or if you didn't flush the firewall since the last time you entered it, its still there and doesn't need to be added again.

/Raz
 
Old 01-17-2002, 04:43 AM   #7
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Denial...

Well all the chain policies are at DENY. And I'm not even sure how to flush the firewall. Unless we're talking about the --flush swith which deletes all the rules (and I may be a newbie, but that would be just plain stupid )

But... after I checked, I don't see the ipchains tules anymore in the list. But now it is accepting connections from an other unix-server with a different IP (same university though). So I guess I've gone backwards... but at least it is allowing me to connect from the university. I'm still going to have to test this from IP:s not inside the university net.
 
Old 01-17-2002, 05:15 AM   #8
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
My bad...

Well the reason why it allowed to connect from the other IP was in hosts.deny. I just put up the ALL: ALL and now everything works smoothly.

Thanks once more for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking specific websites, but allowing internet access poiuytrewq Linux - General 6 09-01-2006 12:45 AM
Allowing access only to specific websites? matux Linux - Security 2 11-28-2005 10:18 PM
Allowing specific programs access to needed ports The MCP Linux - Security 5 03-31-2005 06:21 PM
allowing bittorrent through an ipchains firewall chucky88 Linux - Security 1 04-15-2004 07:10 PM
IPchains - Allowing certain blocked IP's AndrewG Linux - Security 1 12-31-2001 05:44 PM


All times are GMT -5. The time now is 07:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration