LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   unable to connect to my linux router from internet using ssh (https://www.linuxquestions.org/questions/linux-security-4/unable-to-connect-to-my-linux-router-from-internet-using-ssh-164018/)

shkkhanhyd 03-29-2004 11:35 PM
unable to connect to my linux router from internet using ssh
 
Can some one help me with my iptable config for my RH 9.0 linux router. I am using it as a dhcp server/gateway/firewall. Every thing works fine I can connect to it from my local LAN using ssh, however I can't connect to it from the internet using ssh.

I have added the following line to my firewall script, to allow incoming ssh connections from internet. But haven't had luck yet.

There is nothing in the log files about the incoming connection from internet

iptables -A INPUT -p tcp -i $INET_IFACE --sport 22 -j ACCEPT

Here is the complete script.....

#!/bin/sh
#

INET_IFACE="eth0"

LAN_IP="192.168.1.10"
LAN_IP_RANGE="192.168.1.0/24"
LAN_IFACE="eth1"


LO_IFACE="lo"
LO_IP="127.0.0.1"


IPTABLES="/sbin/iptables"

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE


echo "1" > /proc/sys/net/ipv4/ip_forward


$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT



#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

iptables -A INPUT -p tcp -i $INET_IFACE --sport 22 -j ACCEPT

liamoboyle 03-29-2004 11:56 PM
You probably want to have --dport 22 instead of --sport 22. You may also want to have your -i $INET_IFACE before the -p tcp.

iptables --append INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT

This allows ssh to mine.

shkkhanhyd 03-31-2004 10:58 AM
Thank you very much for your helpful suggestion, I tried it and it worked great.

I have one more question for you though in my iptables --list output I see a number of following entries.

ACCEPT all -- anywhere anywhere

my question is these rules don't they override the other security rules I am trying to put in place using iptables?

Please see the complete out put from "iptables --list" command below.

[root@linuxrouter root]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
udp -- anywhere anywhere udp dpt:ssh
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:b
ootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NE
W
ACCEPT udp -- anywhere anywhere udp dpt:ssh state NE
W

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABL
ISHED

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- 192.168.1.10 anywhere
ACCEPT all -- anywhere anywhere

Thanks again,

liamoboyle 03-31-2004 09:44 PM
Too much output for me to look thru it all sorry :-/ iptables -L -n -v gives much more readable format (I find).

iptables matches rules in the order they appear in, so if you have a chain that the first rule says deny everything, then the second rule says accept everything, then only the first rule will be matched and everything will be denied. If you want to change the order, you need to drop everything then restore everything in order; look at man iptables-save and man itables restore. You may also find this place useful (http://www.linuxguruz.com/iptables/howto/).

Luck,
Liam


All times are GMT -5. The time now is 11:39 AM.