LinuxQuestions.org
Page 3 of 3 12 3
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSH from outside my network. (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-from-outside-my-network-4175472149/)

NotAComputerGuy 08-14-2013 06:00 AM
Firerat, I'm really sorry to be such a newbie, but could you be a little more explicit in how I would use that? I've copied that into a file, made it executable and placed it in /etc/openvpn/ but I'm unsure what I do with it? Or should I just run it? Will that 'fix' openvpn until it updates? What did you mean by to get it to write add -i?

Thank you for your time and effort, I'm sorry for being quite confused

Firerat 08-14-2013 07:34 AM
Quote:
Originally Posted by NotAComputerGuy (Post 5009064)
Firerat, I'm really sorry to be such a newbie, but could you be a little more explicit in how I would use that? I've copied that into a file, made it executable and placed it in /etc/openvpn/ but I'm unsure what I do with it? Or should I just run it? Will that 'fix' openvpn until it updates? What did you mean by to get it to write add -i?

Thank you for your time and effort, I'm sorry for being quite confused
Sorry, my fault :)

it is just a sed, ( stream editor )

just copy and paste it 'as is'

you will see the /etc/init.d/openvpn, only a modified version.

if you do "sed -i -e ....." instead of "sed -e ....." it will edit 'inline', i.e. save the changes. ( in this case you will need root )
actually, probably better to make it do a backup
"sed -i.backup -e ....."
The original will be saved as openvpn.backup


edit the "patch_script" replacing all of the YOUR.GATEWAY.IP.HERE, and add the -i.backup
to 'execute' it, just do
Code:
sh /path/to/patch_script
what it is actually doing is

adding the below, just above the line "start_vpn () {"
Code:
fix_ssh () {
ip rule add fwmark 65 table novpn
ip route add default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP
}
undo_fix_ssh () {
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP
iptables -t mangle -D OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
ip route del default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn
ip rule del fwmark 65 table novpn
ip route flush cache
}
it is also adding "&& fix_ssh" and "&& undo_fix_ssh" to the end of start_vpn and stop_vpn lines
so whenever the openvpn runs its start_vpn function it then runs the fix_ssh function ( unless start_vpn fails ), and the undo part runs when stop_vpn as run

Technically it is a 'fudge', because it will blindly run for every VPN,
I assumed you only have the one client configured

it is also a bit dumb in that it will keep adding the {undo_}fix_ssh functions
you could fix that with

Code:
#!/bin/bash
grep -q fix_ssh /etc/init.d/openvpn || sed ........
so the sed only runs if grep didn't find fix_ssh

Hope that makes sense

NotAComputerGuy 08-15-2013 09:11 AM
Yes it made sense. Kind of. I think. Apologies.

I have an executable file located in /etc/openvpn/ (should it be called patch_script, is that where that came in? I couldn't find it mentioned before).

The file contains the following:
Code:
#!/bin/bash
grep -q fix_ssh /etc/init.d/openvpn || sed -i.backup -e '/start_vpn ()/ i fix_ssh () {\
ip rule add fwmark 65 table novpn\
ip route add default via 192.168.0.1 dev eth0 table novpn\
ip route flush cache\
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65\
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP\
}\
undo_fix_ssh () {\
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP\
iptables -t mangle -D OUTPUT -p tcp --sport 22 -j MARK --set-mark 65\
ip route del default via 192.168.0.1 dev eth0 table novpn\
ip rule del fwmark 65 table novpn\
ip route flush cache\
}'\
  -e 's/start_vpn$/& \&\& fix_ssh/' \
  -e 's/stop_vpn$/& \&\& undo_fix_ssh/' \
/etc/init.d/openvpn
Which as root I run with "sh scriptname". I'm sorry if I seem to be taking this slowly. Thanks to yourselves the system works pretty well at the moment, anxious not to break it, but also very aware if I don't do anything then the next reboot it will loose all it's settings.

Firerat 08-15-2013 10:37 AM
Quote:
Originally Posted by NotAComputerGuy (Post 5009757)
Yes it made sense. Kind of. I think. Apologies.

I have an executable file located in /etc/openvpn/ (should it be called patch_script, is that where that came in? I couldn't find it mentioned before).

Which as root I run with "sh scriptname". I'm sorry if I seem to be taking this slowly. Thanks to yourselves the system works pretty well at the moment, anxious not to break it, but also very aware if I don't do anything then the next reboot it will loose all it's settings.
Its me, I'm really bad at naming things :)

patch_script = Script_to_patch_etc_init.d_openvpn
so yeah "sh Script_to_patch_etc_init.d_openvpn"

To be honest I may have 'overcomplicated' it, I don't think it will make any difference if the VPN is running or not..
I just like to undo things

NotAComputerGuy 08-15-2013 03:26 PM
I managed to get it to run. Just out of interest, how come it wouldn't work with sudo (sh: 0: Can't open script), but would if I su'd into root? Just curiosity more than anything.

I'll test it tomorrow to ensure it all worked and let you know if it all works. :)

Thanks you :)

Firerat 08-15-2013 07:31 PM
Honestly .. I have no idea..
about the only difference I can think of is that I have sh symlinked to bash instead of dash ( as I do LFS builds now and again )
But it should not present any problem to dash ( in sh mode or full dash )
It is basically a oneliner ( a long oneliner, but nothing 'complicated' )


All times are GMT -5. The time now is 03:22 PM.
Page 3 of 3 12 3
Show 50 post(s) from this thread on one page