unable to connect to my linux router from internet using ssh
Can some one help me with my iptable config for my RH 9.0 linux router. I am using it as a dhcp server/gateway/firewall. Every thing works fine I can connect to it from my local LAN using ssh, however I can't connect to it from the internet using ssh.
I have added the following line to my firewall script, to allow incoming ssh connections from internet. But haven't had luck yet. There is nothing in the log files about the incoming connection from internet iptables -A INPUT -p tcp -i $INET_IFACE --sport 22 -j ACCEPT Here is the complete script..... #!/bin/sh # INET_IFACE="eth0" LAN_IP="192.168.1.10" LAN_IP_RANGE="192.168.1.0/24" LAN_IFACE="eth1" LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/sbin/iptables" /sbin/depmod -a # # 2.1 Required modules # /sbin/modprobe ip_conntrack /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # # Special rule for DHCP requests from LAN, which are not caught properly # otherwise. # $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # # Rules for incoming packets from the internet. # $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # # Accept the packets we actually want to forward # $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Special OUTPUT rules to decide which IP's to allow. # $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE iptables -A INPUT -p tcp -i $INET_IFACE --sport 22 -j ACCEPT |
You probably want to have --dport 22 instead of --sport 22. You may also want to have your -i $INET_IFACE before the -p tcp.
iptables --append INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT This allows ssh to mine. |
Thank you very much for your helpful suggestion, I tried it and it worked great.
I have one more question for you though in my iptables --list output I see a number of following entries. ACCEPT all -- anywhere anywhere my question is these rules don't they override the other security rules I am trying to put in place using iptables? Please see the complete out put from "iptables --list" command below. [root@linuxrouter root]# iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT udp -- anywhere anywhere udp spt:ssh ACCEPT tcp -- anywhere anywhere ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE W ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE W ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE W udp -- anywhere anywhere udp dpt:ssh ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b ootps ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE W ACCEPT udp -- anywhere anywhere udp dpt:ssh state NE W Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- localhost.localdomain anywhere ACCEPT all -- 192.168.1.10 anywhere ACCEPT all -- anywhere anywhere Thanks again, |
Too much output for me to look thru it all sorry :-/ iptables -L -n -v gives much more readable format (I find).
iptables matches rules in the order they appear in, so if you have a chain that the first rule says deny everything, then the second rule says accept everything, then only the first rule will be matched and everything will be denied. If you want to change the order, you need to drop everything then restore everything in order; look at man iptables-save and man itables restore. You may also find this place useful (http://www.linuxguruz.com/iptables/howto/). Luck, Liam |
All times are GMT -5. The time now is 11:39 AM. |