iptables - I added a second nic and cannot ssh to it. Log shows a potential problem.

However when the firewall is off, SSH works beautiful. Im trying to ssh from 10.0.0.2 to 192.168.1.2. My log below shows that the SSH connection is trying to goto eth0 for 192.168.1.2. It shouldbe going to eth1.
THanks as always

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:28:80:5C
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:764 errors:0 dropped:0 overruns:0 frame:0
TX packets:648 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:22 Base address:0xec80

eth1 Link encap:Ethernet HWaddr 00:B00:B0:22:9B
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:22 carrier:0
collisions:0 txqueuelen:100
Interrupt:16 Base address:0xccc0

iptables***************************
#!/bin/sh


# you set the permission as follow:
# chown root.root scriptname
# chmod 700 scriptname

#=============== Start

# Load the netfilter modules
/sbin/depmod -a
/sbin/modprobe ip_tables

# Set iptable variable path
IPT=/sbin/iptables

echo -n "Loading Firewall Rules....."

#Flush all existing rules
$IPT -F
$IPT -X
$IPT -F -t nat

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

#Set-up the "firewall-chain" rules
$IPT -N firewall
$IPT -A firewall -m limit --limit 20/minute -j LOG --log-level warning --log-prefix "FIREWALL: "
$IPT -A firewall -j DROP

#Accept Ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#Drop any bad flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "

#Block ping
$IPT -A INPUT -i eth0 -s 0/0 -d 192.168.3.2 -p icmp --icmp-type echo-request -j DROP

#Drop traceroute packets
$IPT -A INPUT -i eth0 -s 0/0 -d 192.168.3.2 -p udp --dport 33435:33525 -j DROP

#Stuff to drop syn floods
#$IPT -N syn-flood
#$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
#$IPT -A syn-flood -j LOG --log-level warning --log-prefix "FIREWALL: SYN Flood Stopped: "
#$IPT -A syn-flood -j DROP
#$IPT -A INPUT -p tcp --syn -j syn-flood

#State matching stuff - to accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Accept SSH
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p tcp -d 192.168.3.2 --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s 10.0.0.2 -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT
$IPT -A INPUT -i eth1 -s 0/0 -p tcp -d 0/0 --dport 22 -j ACCEPT

#Accept incoming SMTP requests
$IPT -A INPUT -i eth0 -s 0/0 -p tcp -d 192.168.3.2 --dport 25 -j ACCEPT

#Accept POP3 requests
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p tcp -d 192.168.3.2 --dport 110 -j ACCEPT

#Accept Samba
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p tcp -d 192.168.3.2 --dport 137:139 -j ACCEPT
$IPT -A INPUT -i eth0 -s 10.0.0.2 -p udp -d 192.168.3.2 --dport 137:139 -j ACCEPT

#Accept Domain Name Server stuff..
#$IPT -A INPUT -i eth0 -s 198.6.1.4/24 -p tcp -d 0/0 --dport 53 -j ACCEPT
#$IPT -A INPUT -i eth0 -s 198.6.1.5/24 -p udp -d 0/0 --dport 53 -j ACCEPT

#Send everything else to the firewall chain - DENY it and LOG it.
#$IPT -A INPUT -p tcp --syn -j firewall
#$IPT -A INPUT -p udp -j firewall
$IPT -A INPUT -j LOG
echo "DONE"

LOG*********************
kernel: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.1.2 LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=29663 DF PROTO=TCP SPT=2207 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 11:54:45 mail kernel: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.1.2 LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=29664 DF PROTO=TCP SPT=2207 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 11:54:51 mail kernel: IN=eth0 OUT= MAC=00:02:b3:28:80:5c:00:02:b3:39:c0:ac:08:00 SRC=10.0.0.2 DST=192.168.1.2 LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=29685 DF PROTO=TCP SPT=2207 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0

THis also showed up in my log:
Jan 13 11:56:20 mail kernel: IN=eth1 OUT= MAC= SRC=192.168.1.2 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF P
ROTO=UDP SPT=138 DPT=138 LEN=221
Jan 13 11:56:20 mail kernel: IN=eth1 OUT= MAC= SRC=192.168.1.2 DST=192.168.1.255 LEN=233 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF P
ROTO=UDP SPT=138 DPT=138 LEN=213

Well if anyone has this problem, i took the -i out of the ssh rule and works like a charm.
Thanks

The log is showing you a Bcast request from a Samba service to the subnet from the ip address of: 192.168.1.2

I don't really understand your network layout as it seems overly complicated. i.e your using an internal class A to talk to an internal call C address with a default gateway that also uses an internal IP address.

But if you took the -i out and it worked, then it sounds like the connection for the 10.0.0.0/24 network is on the wrong card or hub/switch.
also do a netstat -natp and see if shhd is bound to both cards or eth1 is routing to eth0.

/Raz

Servers are all 192.168.x.x
Workstations are all 10.0.0.x

So Im talking from the inside 10.0.0.x to servers on 192.168.x.x

I added another nic to my server so that i could tighten up my iptables. I would like to make the second nic on my server 10.0.0.x but from what I have learned, nics on a server must all be on the same mask ie 255.255.255.0. If I make the second nic 10.0.0.x (255.0.0.0) this will not work.

Workstations are all on my inside network connected via a switch. So my second nic on my server is plugged into my switch.

Im not a networking guru, but sounds pretty simple to me.
But dont laugh...Im still learning

So maybe -i wont work because of the switch is working for 10.0.0.x and 192.168.1.2.

Tanks for your help

tcp 0 0 192.168.1.2:22 0.0.0.0:* LISTEN 644/sshd

Thats the only entry for ssh
So its bound to 192.168.1.2. Still not sure why the -i doesnt work. Is it possible that eth1 is really eth0 and eth0 is really eth1?

ifconfig - a
eth0 Link encap:Ethernet HWaddr 00:02:B3:28:80:5C
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3004 errors:0 dropped:0 overruns:0 frame:0
TX packets:2577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:22 Base address:0xec80

eth1 Link encap:Ethernet HWaddr 00:B00:B0:22:9B
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:76 errors:0 dropped:0 overruns:21 carrier:0
collisions:0 txqueuelen:100
Interrupt:16 Base address:0xccc0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Thanks

That's your problem.
It's only bound to one of the cards, so when you tell the firewall to allow only the interface to ip it doesn't work.

It only works because the system routes from the interface that's bound.

change your sshd config script file
default is:
/usr/local/etc/sshd_config

add the lines
ListenAddress 192.168.3.2
ListenAddress 192.168.1.2
#ListenAddress 0.0.0.0
#ListenAddress ::

Then restart sshd.

/Raz

well Raz................you da man!! Worked just as you have stated. Let me ask you one final question on this.
I can now use -i eth0 and -i eth1 in my iptables.
1) Is is better to have ssh running on both cards and use the -i in the iptables to control it just to the inside.
2) Only run ssh on the inside and then dont use -i in iptables.

I ask this because in thread: http://www.linuxquestions.org/questi...threadid=11299
you state------->
The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.

$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.

Then only accept to the internal card.

example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."

One more thing. If ssh is only running on the inside nic, the spoofer would have to be on the inside network to fake an ip address and get in.
COrrect?

ok lets see if I get this right.

If you don't need to access sshd from a different location on the internet, then I would only allow it to bind to the card that is connected to your internal network hub/switch.

Then on the firewall I would still use -i for the internal nic to allow access to port 22 from the local address ranges you use.
Then on the firewalls second card that's connected to your hardware NAT box, I would add a line that logged any port 22 requests to that device "-i" and drops from any source, including internal IP addresses ranges.

That's the safes why to do it. "unless your network is 802.11b"

basically use the -i option to stop any unwanted packets accessing your external internet interface and spoofing them to your accepted internal interface.

/Raz

Hey,
One more question. I edited my sshd_config and changed it to only listen on 192.168.1.2.
My problem is this. If I add -i eth1 to my iptables, i cannot SSH, If i change the -i eth1 to -i eth0, it works as its suppossed to. eth1 is 192.168.1.2. Any idea why this would happen.

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:28:80:5C
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1422 errors:0 dropped:0 overruns:0 frame:0
TX packets:1215 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:22 Base address:0xec80

eth1 Link encap:Ethernet HWaddr 00:B00:B0:22:9B
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:16 Base address:0xccc0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

netstat -natp shows:
tcp 0 0 192.168.1.2:22 0.0.0.0:* LISTEN 896/sshd

Thanks dude!

What's the address range of the systems that now can't connect to the ssh port?

Also post the iptables lines that you entered.

Can the client systems talk to the 192.168.1.2 address, i.e ping.

/Raz

This doesnt work
$IPT -A INPUT -i eth1 -s 10.0.0.2 -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT


Address 10.0.0.2 cannot connect when i add -i eth1. If i change it to -i eth0 it works!!

10.0.0.2 has full communication with 192.168.1.2 as far as ping/pop3/samba.

But the sames goes for pop3/samba. If i change it to -i eth1 it doesnt work

Right now i have the below and this works:
$IPT -A INPUT -s 10.0.0.2 -p tcp -d 192.168.1.2 --dport 22 -j ACCEPT

Thanks for your time Raz
BTW - The faster the women the better!!!