LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-29-2004, 11:35 PM   #1
shkkhanhyd
LQ Newbie
 
Registered: Sep 2003
Posts: 2

Rep: Reputation: 0
unable to connect to my linux router from internet using ssh


Can some one help me with my iptable config for my RH 9.0 linux router. I am using it as a dhcp server/gateway/firewall. Every thing works fine I can connect to it from my local LAN using ssh, however I can't connect to it from the internet using ssh.

I have added the following line to my firewall script, to allow incoming ssh connections from internet. But haven't had luck yet.

There is nothing in the log files about the incoming connection from internet

iptables -A INPUT -p tcp -i $INET_IFACE --sport 22 -j ACCEPT

Here is the complete script.....

#!/bin/sh
#

INET_IFACE="eth0"

LAN_IP="192.168.1.10"
LAN_IP_RANGE="192.168.1.0/24"
LAN_IFACE="eth1"


LO_IFACE="lo"
LO_IP="127.0.0.1"


IPTABLES="/sbin/iptables"

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE


echo "1" > /proc/sys/net/ipv4/ip_forward


$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT



#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

iptables -A INPUT -p tcp -i $INET_IFACE --sport 22 -j ACCEPT
 
Old 03-29-2004, 11:56 PM   #2
liamoboyle
Member
 
Registered: Mar 2004
Location: Wellington, New Zealand
Distribution: Debian
Posts: 127

Rep: Reputation: 15
You probably want to have --dport 22 instead of --sport 22. You may also want to have your -i $INET_IFACE before the -p tcp.

iptables --append INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT

This allows ssh to mine.
 
Old 03-31-2004, 10:58 AM   #3
shkkhanhyd
LQ Newbie
 
Registered: Sep 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you very much for your helpful suggestion, I tried it and it worked great.

I have one more question for you though in my iptables --list output I see a number of following entries.

ACCEPT all -- anywhere anywhere

my question is these rules don't they override the other security rules I am trying to put in place using iptables?

Please see the complete out put from "iptables --list" command below.

[root@linuxrouter root]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
udp -- anywhere anywhere udp dpt:ssh
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
ACCEPT udp -- anywhere anywhere udp dpt:ssh state NE
W

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere

Thanks again,
 
Old 03-31-2004, 09:44 PM   #4
liamoboyle
Member
 
Registered: Mar 2004
Location: Wellington, New Zealand
Distribution: Debian
Posts: 127

Rep: Reputation: 15
Too much output for me to look thru it all sorry :-/ iptables -L -n -v gives much more readable format (I find).

iptables matches rules in the order they appear in, so if you have a chain that the first rule says deny everything, then the second rule says accept everything, then only the first rule will be matched and everything will be denied. If you want to change the order, you need to drop everything then restore everything in order; look at man iptables-save and man itables restore. You may also find this place useful (http://www.linuxguruz.com/iptables/howto/).

Luck,
Liam
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux can't connect to internet with DHCP through Linksys wired router ruslan40321 Linux - Networking 9 03-30-2008 02:08 PM
unable to connect to internet ashwin_cse Fedora 9 07-30-2007 09:39 AM
Unable to connect to the internet xxvm1 Mandriva 24 09-22-2004 08:59 PM
unable to connect to the internet shaahul Linux - Newbie 1 09-15-2003 06:59 AM
unable to connect with ssh except to localhost Yaukuai Linux - Software 0 09-30-2001 06:42 AM


All times are GMT -5. The time now is 09:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration