LinuxQuestions.org - running ssh problem

LinuxQuestions.org (/questions/)

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - running ssh problem (https://www.linuxquestions.org/questions/linux-server-73/running-ssh-problem-588418/)

No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.

Quote:

Originally Posted by raskin (Post 2916910)

No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.

If /etc/rc.local on server modified as follow;

Code:

# INPUT

#



# allow all incoming traffic from the management interface NIC

# as long as it is a part of an established connection

iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state RELATED,ESTABLISHED



# allow all ssh traffic to the management interface NIC

iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22



# allow all VMware MUI HTTP traffic to the management interface NIC

iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222



# allow all VMware MUI HTTPS traffic to the management interface NIC

iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333



# allow all VMware Authorization Daemon traffic to the management interface NIC

iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902



# reject all other traffic to the management interface NIC

iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with icmp-port-unreachable



#

# OUTPUT

#



# allow all outgoing traffic from the management interface NIC

# if it is a part of an established connection

iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -m state --state RELATED,ESTABLISHED



# allow all DNS queries from the management interface NIC

iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53





#  to allow X forwarding, allow traffic to and from proxy X servers

#  This port range will allow up to 10 proxy servers to be running.



iptables -A OUTPUT -s 127.0.0.1 -p tcp --dport 6010:6019 -j ACCEPT

iptables -A OUTPUT -s 127.0.0.1 -p tcp --sport 6010:6019 -j ACCEPT



# reject all other traffic from localhost

iptables -A OUTPUT -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable



# reject all other traffic from the management interface NIC

iptables -A OUTPUT -j REJECT -s MGMT_NIC_IP --reject-with icmp-port-unreachable

ssh works both ways w/o problem with X forwarded. I don't know whether such a change would weaken the security on the server?

satimis

Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X' (Though it is interesting if VNC is better).

Quote:

Originally Posted by raskin (Post 2926429)

OK I'll stick to the iptables rules suggested by that doc. I don't need ssh-connecting the server from a workstation with X forwarding except to remote configure a headless server. Thanks for your advice.

Quote:

(Though it is interesting if VNC is better).

which of follows would you recommend?

Code:

http://www.realvnc.com/



http://www.uvnc.com/



http://www.tightvnc.com/

???

What will the difference in function between VNC and ssh? TIA

satimis

I used TightVNC. They recommend to tunnel it through SSH tunneling - to get encryption with no extra configuration. The benefit of VNC (compared to ssh) is that entire VNC session is just a window on your desktop, so sniffing your keyboard requires finding actual arbitrary-code-execution hole in TightVNC or a really obscure way to force vncviewer deivate from acceptable behavior.