LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-30-2006, 01:09 PM   #1
cothrige
Member
 
Registered: Oct 2003
Distribution: Debian, Slackware
Posts: 48

Rep: Reputation: 15
Using SSH through a Linksys router


I recently upgraded from a dialup to DSL and additionally added a Linksys router so that two computers could share the internet. Before this I had a crossover cable connecting the two machines directly and was using SSH to share files, and was also using one computer as a gateway so that I could access the internet on both computers if I needed to. Of course, with the router I can use the internet easily on both computers, but I am wondering how I can share files again via SSH over that same ethernet connection?

I have been running firewalls on the two computers, and they seem to work okay as far as I can tell. I have tested the system with Shield's Up, though it actually reports the same without firewalls. (I was curious as to what the router was doing) BTW, the firewall scripts I am using I obtained with the Easy Firewall Generator online, at http://easyfwgen.morizot.net/gen/, since I am a complete bonehead concerning iptables. I did boot the second machine without the firewall script once as a test and it was available with SSH to my other computer, so I have assumed that my problem will be in the firewall.

I had hoped, given my ignorance regarding iptables, that perhaps somebody here could give me some advice as to how to proceed so that I can access files on each computer and also surf the internet safely. Any help or information at all is very much appreciated.

Patrick
 
Old 05-30-2006, 01:51 PM   #2
ssfrstlstnm
Member
 
Registered: Dec 2004
Location: IN, USA
Distribution: debian etch
Posts: 402

Rep: Reputation: 30
Shield's up gives the same result with and without your iptables firewall because the router is acting as a firewall. You can go to http://192.168.1.1/ in a browser to look at the router settings. The router firewall (hardware firewall) is really all that you need to protect you from the outside world, but it doesn't hurt to set up an iptables firewall also. SSH uses port 22, so all you have to do is open that port and you should be able to share files between your pcs. If you want to be able to ssh from outside your network to your pcs, you will need to make a hole in the router firewall. But if you do this make sure you have a good password because some bonehead will try to break in through ssh.
 
Old 05-30-2006, 04:15 PM   #3
cothrige
Member
 
Registered: Oct 2003
Distribution: Debian, Slackware
Posts: 48

Original Poster
Rep: Reputation: 15
That is what I figured, and why I checked Shield's Up without the firewall. I was curious if it was running one as well. But, I thought that I should run a firewall on my computers also, just to be safe you know.

I guess I could shut off the firewalls altogether, but I suppose it just makes me a little nervous. And port 22 appears to be open on my firewall, and I tried opening up the local network, i.e. 192.168.15.100/24, but that didn't help. Since these services do work without the iptables firewalls up I would assume that there is nothing in the router which is interfering. And I certainly didn't want to allow anything in from outside of my home connections, so it would seem that at first glance nothing in the hardware really needs changing. But, that leaves me with iptables scripts, which just escape me in general.

So, if I were interested in keeping an iptables firewall running, could you recommend anyplace to start for setting up something basic and simple that will allow me to use SSH and such?

Thanks for the help,

Patrick
 
Old 05-30-2006, 04:23 PM   #4
ssfrstlstnm
Member
 
Registered: Dec 2004
Location: IN, USA
Distribution: debian etch
Posts: 402

Rep: Reputation: 30
I have never messed with iptables directly. I use shorewall which uses config files to set up iptables. I find it a bit easier. If you are using KDE, guarddog is a gui setup for iptables. If you want, I can post my shorewall rules when I get home.
 
Old 05-30-2006, 05:01 PM   #5
cothrige
Member
 
Registered: Oct 2003
Distribution: Debian, Slackware
Posts: 48

Original Poster
Rep: Reputation: 15
Thanks for that. I would very much like to see how that works, as I have never braved shorewall. I had thought that it was for standalone routers, and I have never used one. If you could make a suggestion about how to set shuch a thing up and get it running I would love to give it a try.

Unfortunately, I don't run KDE. I am using Ion3 on Slackware 10.2, so I have not had a lot of the tools to make these things simple. In most situations I can work though these things eventually, with a lot of reading and searching, but iptables has been one of my banes. That and ALSA. The mere sight of those four letters sends me running for the hills, and iptables just confuses me to death.

Patrick
 
Old 05-30-2006, 05:56 PM   #6
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 77
Quote:
Originally Posted by cothrige
but I am wondering how I can share files again via SSH over that same ethernet connection?
Hi Patrick.
Do you only want to be able to ssh from and to computers in the LAN (private ips), or do you want to be able to SSH to one (or both) of your LAN computers from outside? Sheilds Up is only relevant from outside (it knows nothing about your internal LAN). Your DSL router uses NAT for incoming connections (and it by default should allow no or little traffic). Generally, the router does NOT perform filtering on packets inside the network.

You have to provide us more information about your computers' netfilter setups. Please post the output of
Code:
$ iptables -nvL
for both computers.
 
Old 05-30-2006, 06:09 PM   #7
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 77
Quote:
Originally Posted by cothrige
I recently upgraded from a dialup to DSL and additionally added a Linksys router so that two computers could share the internet. Before this I had a crossover cable connecting the two machines directly and was using SSH to share files, and was also using one computer as a gateway so that I could access the internet on both computers if I needed to. Of course, with the router I can use the internet easily on both computers, but I am wondering how I can share files again via SSH over that same ethernet connection?

I have been running firewalls on the two computers, and they seem to work okay as far as I can tell.
Hello again.
What did you change in the firewall scripts when you switched to DSL?

Try this:
  • Unplug the computers from the router
  • Hook them up to each other with a X-over cable.
  • Don't change the firewall rules (yet).
  • If necessary, temporarily assign the machines sane ips (something like
  • You should be able to ping each other and should not be able to access the internet.
Try ssh'ing now. I do not think you will be able to. I suspect that you inadvertently changed the firewall rules when you reconfigured. As per my other post, please give us the output of `iptables -nvL'. Also tell us what options you selected at http://easyfwgen.morizot.net/gen.

By taking a quick look at the site, here's what I think you should have done:
Check `Allow Inbound Services'
It will then ask you what services. Check ssh.
 
Old 05-30-2006, 06:41 PM   #8
ssfrstlstnm
Member
 
Registered: Dec 2004
Location: IN, USA
Distribution: debian etch
Posts: 402

Rep: Reputation: 30
Here are the files from my shorewall config. You may also want to take a look at shorewall.conf. There is a package for slackware, but the config files might be in a different place than /etc/shorewall.

/etc/shorewall/rules
Code:
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL    R ATE             USER/
#                                               PORT    PORT(S)    DEST        L IMIT            GROUP
#dns
ACCEPT   net            fw              udp     53
ACCEPT   net            fw              tcp     53
#ftp
#ACCEPT  net            fw              tcp     21
#apache
ACCEPT   net            fw              tcp     80
#mysql
#ACCEPT  net            fw              tcp     3306
#email
ACCEPT   net            fw              tcp     25
#ssh
ACCEPT   net            fw              tcp     22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones
Code:
#       #ZONE   DISPLAY         COMMENTS
net     Internet        The big bad Internet
loc     Local           Local Network
dmz     DMZ             Demilitarized zone.
/etc/shorewall/policy
Code:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info
#
#LAST LINE -- DO NOT REMOVE
/etc/shorewall/interfaces
Code:
#ZONE    INTERFACE      BROADCAST       OPTIONS
#net     ppp0           -
 net     eth0           detect          dhcp
 loc     eth1           detect
 dmz     eth2           detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 
Old 05-30-2006, 07:45 PM   #9
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 77
Nothing to see here. Move along.

Last edited by osor; 05-30-2006 at 10:19 PM.
 
Old 05-30-2006, 10:00 PM   #10
cothrige
Member
 
Registered: Oct 2003
Distribution: Debian, Slackware
Posts: 48

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by osor
Do you only want to be able to ssh from and to computers in the LAN (private ips), or do you want to be able to SSH to one (or both) of your LAN computers from outside? Sheilds Up is only relevant from outside (it knows nothing about your internal LAN). Your DSL router uses NAT for incoming connections (and it by default should allow no or little traffic). Generally, the router does NOT perform filtering on packets inside the network.
Yes, I was only interested in using ssh on the LAN, not with any computers outside. I had kept the firewalls up since I had really not wanted to risk anything from outside of my home. I am kind of a paranoid and really didn't want to do anything questionable.

As for my output from iptables, let me do a bit more and add a little to my situation and see if you or any others can offer any advice. As I had mentioned I was running a script from Easy Firewall Generator, and this had not changed from before the DSL and after. Since trying to use SSH I had changed several settings though this did not help. I could ping and use SSH if I ran without a firewall at all, but not with it.

However, I did some searching around and found this very, very basic firewall and it did seem to work. Being so ignorant I am afraid I am unsure if it really is very secure, but using it I could add a couple of rules for the LAN and could then connect. I added the two lines regarding the LAN and SSH, and it did allow through the SSH connections and so on. I will post it in full, as it is short. Please let me know where I have messed up with this.

Code:
#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
#modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# This is what I have added
iptables -A INPUT -i eth0 -s 192.168.15.100/24 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.15.100/24 -p tcp --dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Any thoughts? As for the output from 'iptables -nvL' here it is:
Quote:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 284 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 192.168.15.0/24 0.0.0.0/0 tcp dpt:22
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4 packets, 284 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
I would love to know just what I need to add to tighten this up, or fix it if it is completely junk. I really do like to keep things as safe as possible and just don't really feel comfortable trusting the router alone, but I do want to be able to connect the two computers and share the printer and files. Many thanks for the help and advice.

Patrick
 
Old 05-30-2006, 10:05 PM   #11
cothrige
Member
 
Registered: Oct 2003
Distribution: Debian, Slackware
Posts: 48

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ssfrstlstnm
Here are the files from my shorewall config. You may also want to take a look at shorewall.conf. There is a package for slackware, but the config files might be in a different place than /etc/shorewall.
...
Many thanks for that. I have to say I am really lost with such, but I may just give it a try. Quick question, just where is the stuff regarding the LAN itself as opposed to the internet? What would I use to stop port 22 on the internet but allow it on the LAN? Is that possible?

Thanks again for the info and I will certainly be looking into that.

Patrick
 
Old 05-30-2006, 10:09 PM   #12
ssfrstlstnm
Member
 
Registered: Dec 2004
Location: IN, USA
Distribution: debian etch
Posts: 402

Rep: Reputation: 30
Maybe you thought carthrige posted that. I have so many ports open because I have a web server and email server. Of course he wouldn't need to open 80 and 25 for just ssh. I'm not sure about your suggestions, but I do know that the rules I posted work for me. I can ssh between computers on my local network, and if I open the router firewall I can ssh from outside. Notice some of the ports are commented out in the rules file so not open. Also in the policy file, the first rule takes precedence over the second rule and so on so everything from fw (local pc) to the net is allowed and everything from the net to the fw is dropped (except for exceptions in the rule file.
 
Old 05-30-2006, 10:18 PM   #13
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 77
Quote:
Originally Posted by ssfrstlstnm
Maybe you thought carthrige posted that. I have so many ports open because I have a web server and email server. Of course he wouldn't need to open 80 and 25 for just ssh. I'm not sure about your suggestions, but I do know that the rules I posted work for me. I can ssh between computers on my local network, and if I open the router firewall I can ssh from outside. Notice some of the ports are commented out in the rules file so not open. Also in the policy file, the first rule takes precedence over the second rule and so on so everything from fw (local pc) to the net is allowed and everything from the net to the fw is dropped (except for exceptions in the rule file.
I'm sorry, LOL! I guess I'm too tired and didn't look at the poster. I am not familiar with shorewall, and I was just guessing as to what might be the problem (if one were occurring) using iptables knowledge.

NOTE to cothrige: ignore everything I said about shorewall, as it is most probably wrong.
 
Old 05-30-2006, 10:44 PM   #14
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 77
Quote:
Originally Posted by cothrige
Code:
#
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# This is what I have added
iptables -A INPUT -i eth0 -s 192.168.15.100/24 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.15.100/24 -p tcp --dport 22 -j ACCEPT
Any thoughts?

I would love to know just what I need to add to tighten this up, or fix it if it is completely junk. I really do like to keep things as safe as possible and just don't really feel comfortable trusting the router alone, but I do want to be able to connect the two computers and share the printer and files. Many thanks for the help and advice.

Patrick
One of the things I see is that where is says (in the comment) `Allow UDP, DNS and Passive FTP' but I was under the assumption that the line following it is pretty much required (for a lot of stuff including plain old web-browsing). I don't think that comment and the line following it are connected (how the hell is that considered allowing UDP and DNS?). The other thing is that I don't think you need the second line you added (the packet will already be accepted and will never reach there). So you can safely remove the `... -p tcp --dport ...' line. As for security, it is as secure you are going to get if you continue trusting your LAN. The only potential problem (which I don't think exists) is if the Linksys Router doesn't drop invalid tcp packets from the WAN port (i.e., someone on the internet spoofs 192.168.15.4 and gets past your router into your wide open LAN. Even if they did that, however, there is no way for them to get anything done with one packet). You aren't going to be able to avoid this without opening specific services manually, which is a PITA for LAN traffic.
 
Old 05-31-2006, 12:44 AM   #15
cothrige
Member
 
Registered: Oct 2003
Distribution: Debian, Slackware
Posts: 48

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by osor
One of the things I see is that where is says (in the comment) `Allow UDP, DNS and Passive FTP' but I was under the assumption that the line following it is pretty much required (for a lot of stuff including plain old web-browsing)...
Yeah, I actually wondered about that myself. That line has been in every iptables script I have used, and I had always thought that it was concerned with allowing in only traffic that I had initiated. So, I left it there assuming that it was needed.

And good to know about the second line. I put it in there thinking that my port may not be open to the LAN even after allowing the traffic in with the first line. But, now thinking about it I can see what you mean and I will fix that. No reason to have unnecessary stuff, as there is no way of being sure what it may do.

Thanks again for the info and the tips on this firewall. I am just glad to see things running along as they used to with some remaining hope of continued security.

Patrick
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTPS, HTTP, SSH on Fedora Core 5, Linksys WRT54G router, can see page on LAN dracoscool Linux - Networking 2 04-13-2006 03:32 AM
unstable HTTP/SSH server with Linksys router hamish Linux - Networking 0 07-22-2004 02:45 PM
SSH into Third box behind a linksys router. donk3 Linux - Networking 1 09-05-2003 02:02 PM
SSH, VNC and a Linksys Router Hangdog42 Linux - Networking 8 04-18-2003 05:58 PM
router problem with linksys router scheiße_comp Linux - Networking 10 08-20-2002 11:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration