LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-01-2005, 01:04 PM   #1
09kevin77
LQ Newbie
 
Registered: Mar 2005
Location: Moncton NB Canada
Distribution: Fedora
Posts: 15

Rep: Reputation: 0
Unhappy SSH through a firewall


I am in the process of revamping the firewall. I just took over the IT Department and am trying to weed out the "crap".

My Q is this: I want to allow SSH2 through the "for now" firewall and to a backend server. I went into the existing script and entered the following iptables command:


iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -d <external ip> --dport 22 -j DNAT --to-destination 123.234.35.45:22

iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 123.234.35.45 --destination-port 22 -j ACCEPT



This should work shouldn't it? Incoming connection from external IP forward to internal IP server SSH.

A buddy of mine tried to login remotely and got Connection Refused. I tried from the internal network to the external IP (not the same one I am on) and I got a connection, asked me for the username and password ... I entered those and it came back as bad login, would you like to try again. I know the username and passwords are correct. Do I need to open any other port than 22?

Do I have the above correct? Maybe that is my problem. Any help is appreciated. I am starting to understand iptables, still a ways to go though.

Oh, sorry 1 more thing. This rule iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT if it came before the above, would it disregard the above and take this one because is is first? This looks like SSH to the firewall. Am I right?

Thanks again.

Kevin
 
Old 06-01-2005, 03:27 PM   #2
Atrocity
Member
 
Registered: Nov 2002
Location: Hell
Distribution: FreeBSD, Slackware
Posts: 308

Rep: Reputation: 30
you should grab the book "Linux Firewalls" I belive it extensivly goes through the use of iptables in linux
 
Old 06-01-2005, 03:40 PM   #3
09kevin77
LQ Newbie
 
Registered: Mar 2005
Location: Moncton NB Canada
Distribution: Fedora
Posts: 15

Original Poster
Rep: Reputation: 0
Ok, thanks for the tip.

I am guessing "Get a book" means "You have it wrong and I am not going to tell you, figure it out yourself" or was that forum lingo meaning "I don't know".

I don't mean to be snarky but I don't have time to run out to get the book. I figured I could get help on this and THEN get a book. I guess I misunderstood what forums were for. I thought they are here to help people in need, not to promote books.

If anyone else has any other help I would greatly appreciate it. Pointing me to a book was not the answer I was hoping for.

Thanks all.

Kevin
 
Old 06-01-2005, 04:35 PM   #4
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
I would remove this:
Code:
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
If you want to leave it in add a "-i eth1" or something like that. Otherwise you have a conflict of how it would work.

In my config I have something like this:

Code:
iptables -A FORWARD -p tcp -d 123.234.35.45 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 123.234.35.45:22

The "-m state --state NEW,ESTABLISHED,RELATED" part would be totally optional.

I think when doing an iptables script the order that you do your commands is not the deciding factor of how it all works. I could be wrong.
 
Old 06-01-2005, 04:42 PM   #5
09kevin77
LQ Newbie
 
Registered: Mar 2005
Location: Moncton NB Canada
Distribution: Fedora
Posts: 15

Original Poster
Rep: Reputation: 0
thanks benjithegreat98,

I did get rid of the iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT and I changed the IP to our primary one. For some reason, the ppl that built the firewall int he first place had things weird. Oh well.

I thank you again because eveerything works 100% now.

Much appreciated!!

Kevin

 
Old 06-02-2005, 02:36 PM   #6
Atrocity
Member
 
Registered: Nov 2002
Location: Hell
Distribution: FreeBSD, Slackware
Posts: 308

Rep: Reputation: 30
No, get a book means get a book becuase it has a reputation as a good book and will give you some in depth knowledge you could use if you are working with firewalls!!!!!!!!
 
Old 06-03-2005, 01:43 AM   #7
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Technology books are one of the best ways to waste money out there ... If you're reading it in a book, it's already outdated.
 
Old 06-03-2005, 07:21 AM   #8
09kevin77
LQ Newbie
 
Registered: Mar 2005
Location: Moncton NB Canada
Distribution: Fedora
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks Atrosity but I think that I could have figured out myself to get a book. If I figured that it would be quicker and more efficient to get it then I would. But like I said in my previous post, forums are for helpping people in need, not to promote books. If you want to fine, but make sure you answer the question in need as well.

Just telling people to "Buy a book" doesn't help anyone. Help is why we go to forums. You could learn a lot from benjithegreat98's post.

Kevin
 
Old 06-03-2005, 12:29 PM   #9
Atrocity
Member
 
Registered: Nov 2002
Location: Hell
Distribution: FreeBSD, Slackware
Posts: 308

Rep: Reputation: 30
How are technology books a waste of money, that is the dumbest thing I have ever heard!! You have to have a base of something outdated before you can build apon that knowledge in order to create new technologies!!! You get that base from books and working with the current technologies before you can create a new one!!
 
Old 06-03-2005, 03:59 PM   #10
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
You're missing the point (as I suspected you might).

By the time a book makes it to print and to the store shelves and in your little hands it's already outdated (read: largely incomplete to useless) information.

If you want to spend $40-$80 USD for something of very little practical application (other than slaughtering trees to print them on), go right ahead. I'll get my information from the electronic manuals and howtos and google and forums and spend the money I've saved on hardware (or beer or whatever).

As a happy medium, there's always Safari.
 
Old 06-03-2005, 04:08 PM   #11
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
I'm inclined to agree with Atrocity on the usefulness of books. You can learn some from the on-line manuals and such but for a thorough explanation of how something works you should get the book. A book won't really be obsolete at the rate you are saying. I know you are exagerrating, but I still have some old books out of college that are useful. Some are not. Usually books will give you better ideas about the 'best practice' which is useful because if the program changes slightly you can still have an understanding of what you need to accomplish by reading what has changed instead of looking for someone to hold your hand because you do not have as good a comprehension of the subject as you could.
 
Old 06-03-2005, 04:21 PM   #12
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
To each his own I suppose ... For me, they're a waste. There are a few rare exceptions of course (The K&R C books for example), but those exceptions are few and far between. I can't recall the last thing I needed my hand held with though, so I guess maybe I'm a bad example.

free(thread);
 
Old 06-03-2005, 04:28 PM   #13
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Just to clarify, I wasn't directing the hand holding bit at you or any one in particular. I've taken short cuts to find quick answers to solve my problem and then the next change that came along I was lost again. I needed to find a thread to hold my hand to get it fixed right. But after doing that a bunch of times I tried to learn the subject thoroughly. Fortunately, places like this exist.
 
Old 06-04-2005, 09:21 AM   #14
Atrocity
Member
 
Registered: Nov 2002
Location: Hell
Distribution: FreeBSD, Slackware
Posts: 308

Rep: Reputation: 30
books are usefull for all except maybe the illiterate, theorys and concepts hold strong for years
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH behind firewall kamransoomro84 Linux - General 9 06-23-2009 12:32 AM
ssh firewall sanjibgupta Linux - Security 1 09-23-2005 10:59 AM
ssh firewall jumbled Linux - Security 6 04-11-2005 10:01 AM
Ssh behind a firewall muneebs Linux - Newbie 3 02-03-2005 08:36 PM
SSH behind a firewall fedenini Linux - Networking 4 08-26-2004 12:57 PM


All times are GMT -5. The time now is 08:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration