Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 23
Originally Posted by vytas I added your rules (except the ones related to forwarding) with no luck. I still can't connect to local server through SSH from the internet. Pity ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677

    Quote Originally Posted by vytas View Post
    I added your rules (except the ones related to forwarding) with no luck. I still can't connect to local server through SSH from the internet. Pity I cannot test and play with it thoroughly since it's production environment and I add rules mostly remotely I'm curious what I do wrong. As I understand there is no need to add FORWARD rules if FORWARD policy is set to ACCEPT. And there are very few examples of SSH forwarding on the net that I found.
    If you have any other ideas, please let me know.
    Here is the problem with you thought process. If you set forward to ACCEPT then you allow all packets through the firewall so you just a well shut it off. If you are running a firewall you should be setting all access to DROP and then allow what you need to go through.

    Can you post the output from the following command?

    Code:
    route -n

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  2. #12
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Lazydog View Post
    If you are running a firewall you should be setting all access to DROP and then allow what you need to go through.
    I think the firewall isn't OFF because INPUT policy is set to DROP.

    Here is route -n:
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    <WAN-BC>    0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
    10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         <WAN-GW>    0.0.0.0         UG    0      0        0 eth0
    0.0.0.0         <WAN-GW>    0.0.0.0         UG    1      0        0 eth0

  3. #13
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Am I understanding this correctly, you have eth1 assigned 2 different ip addresses?

    What is the output of the following command:

    Code:
    ifconfig

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #14
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Lazydog View Post
    What is the output of the following command:
    Code:
    ifconfig
    ifconfig:
    Code:
    eth0      Link encap:Ethernet  HWaddr <MAC>
              inet addr:<WAN-IP>  Bcast:<WAN-BC>  Mask:255.255.255.0
              inet6 addr: <WAN-IP> Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:20083755 errors:0 dropped:8610 overruns:0 frame:0
              TX packets:20318709 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:2242641031 (2138.7 Mb)  TX bytes:3347935774 (3192.8 Mb)
              Interrupt:9 Base address:0x8000 
    
    eth1      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:10.1.1.254  Bcast:10.1.1.255  Mask:255.255.255.0
              inet6 addr: fe80::215:5dff:fe01:c03/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:20741018 errors:0 dropped:89 overruns:0 frame:0
              TX packets:17898814 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:3422739442 (3264.1 Mb)  TX bytes:2761947693 (2633.9 Mb)
              Interrupt:9 Base address:0x2000 
    
    eth1:1    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:10.1.1.251  Bcast:10.1.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:9 Base address:0x2000 
    
    eth1:2    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:9 Base address:0x2000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:8 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:536 (536.0 b)  TX bytes:536 (536.0 b)

  5. #15
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Another thought. Is your ISP blocking port 22?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #16
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Lazydog View Post
    Another thought. Is your ISP blocking port 22?
    No, I can connect to the firewall from the outside through 22 port with no problems.
    It's difficult to find the problem. Because of my lack of knowledge in iptables and because I can't test production network easily (the company must have the connection 24/7), I guess I will use another local machine to reach that server. It would just be more convenient to connect directly to that server...

  7. #17
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I over looked a simple setting in the firewall that needs to be set, sorry

    This is what I told you before;

    Code:
    # Setup FORWARD Rules
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
    What it should be is;

    Code:
    # Setup FORWARD Rules
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -p tcp -m tcp -d 10.1.1.16 -dport 22 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
    We still need to allow the connection to be forwarded after we made the change to the packets destination.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #18
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Lazydog View Post
    I over looked a simple setting in the firewall that needs to be set, sorry

    This is what I told you before;

    Code:
    # Setup FORWARD Rules
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
    What it should be is;

    Code:
    # Setup FORWARD Rules
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -p tcp -m tcp -d 10.1.1.16 -dport 22 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
    We still need to allow the connection to be forwarded after we made the change to the packets destination.
    No change.
    Forward policy is still ACCEPT! So there is no difference whether any FORWARD rules exist or not. If I'm not wrong. Anyway I tried your newest update with no luck...

  9. #19
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    There has got to be something in another rule/chain that is stopping this. Can you post your complete rule set?
    And does the ssh server see any traffic at all from the firewall?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #20
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Lazydog View Post
    There has got to be something in another rule/chain that is stopping this. Can you post your complete rule set?
    And does the ssh server see any traffic at all from the firewall?
    Ok, so the situation is the following:

    I can't ping from firewall to ssh server.
    The ssh server receives ping requests (I see in logs), but firewall doesn't receive the answers.
    I can ping from ssh server to firewall.
    I can ping from firewall to any other machine.
    I can't do ssh directly from firewall to ssh server (using ssh command).
    The ssh server receives ssh requests (I see in logs), but firewall doesn't receive response from ssh server.
    I can ping from any other machine to ssh server.
    I can connect to ssh server through ssh from any other machine except firewall.

    So it looks like firewall somehow blocks all responses from ssh server.
    What do you think could be a problem here?

    This is my complete iptables script file without any edits (except my public IP changed).

    Code:
    #!/bin/bash
    
    # Flush all rules, and all custom tables
    iptables --flush
    iptables --delete-chain
    iptables -t nat --flush
    iptables -t nat --delete-chain
    iptables -t mangle --flush
    iptables -t mangle --delete-chain
    
    # Set default policies for all three default chains
    iptables -P INPUT DROP
    iptables -P FORWARD ACCEPT
    
    # It's probably save to let all the output go freely
    iptables -P OUTPUT ACCEPT
    
    # Enable free use of loopback interfaces
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # All TCP sessions should begin with SYN
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    # iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    
    # Accept inbound ICMP messages
    iptables -A INPUT -p ICMP --icmp-type 8 -s 10.1.1.0/24 -j ACCEPT
    
    # Don't restrict activity from local network
    iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT
    
    # Allow all forwarding from LAN to WAN. Without this LAN computers can't communivate with the outside world, e.g. browse the internet
    # iptables -A FORWARD -i eth1 -j ACCEPT
    
    # Allow SSH
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # LOG --log-level = info. All log messages should appear in /var/log/messages
    # Tomas / atliktas pakeitimas: pakeistas ip adresas i nauja.. Tomas
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j LOG --log-level 6 --log-prefix "Jungiasi Tomas: "
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j ACCEPT
    
    # Tomas
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j LOG --log-level 6 --log-prefix "Jungiasi Tomas: "
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j ACCEPT
    
    # Vytas darbas
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j LOG --log-level 6 --log-prefix "Jungiasi Vytas: "
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j ACCEPT
    
    # Vytas namai
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j LOG --log-level 6 --log-prefix "Jungiasi Vytas: "
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j ACCEPT
    
    
    # -m limit --limit 1/minute - rule is matched no more than once a minute to prevent unnecessary logging
    # Remote desktop to Windows Server 2008 host
    # Tomas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Tomas RDP: "
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.1.1.1:3389
    
    # Tomas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Tomas RDP: "
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.1.1.1:3389
    
    # Vytas darbas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -i eth0 -j DNAT --to-destination 10.1.1.1:3389
    
    # Vytas namai
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 3389 -i eth0 -j DNAT --to-destination 10.1.1.1:3389
    
    # Remote desktop to call records Win XP
    # Vytas darbas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33891 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33891 -i eth0 -j DNAT --to-destination 10.1.1.253:3389
    
    # Vytas namai
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33891 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33891 -i eth0 -j DNAT --to-destination 10.1.1.253:3389
    
    # Sarunas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33891 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Sarunas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33891 -i eth0 -j DNAT --to-destination 10.1.1.253:3389
    
    # Remote desktop to ProAssist Windows Server 2003
    # Vytas darbas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33892 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33892 -i eth0 -j DNAT --to-destination 10.1.1.58:3389
    
    # Vytas namai
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33892 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33892 -i eth0 -j DNAT --to-destination 10.1.1.58:3389
    
    # Pavel Weiss
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33892 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Pavel RDP: "
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33892 -i eth0 -j DNAT --to-destination 10.1.1.58:3389
    
    # Connect to Butent MySQL DB from outside
    # Menulio g. Vida
    # iptables -A INPUT -p tcp --dport 3306 -s <SOME-IP> -d <PUBLIC-IP> -j ACCEPT
    # iptables -A INPUT -p tcp --dport 3306 -d <PUBLIC-IP> -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Bandoma jungtis: "
    iptables -A INPUT -p tcp --dport 3306 -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j ACCEPT
    
    # Vytas darbas
    iptables -A INPUT -p tcp --dport 3306 -s <SOME-IP> -d <PUBLIC-IP> -i eth0 -j ACCEPT
    
    # Remote desktop to Windows Server 2008 Virtual server (File server)
    # Vytas darbas
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33893 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33893 -i eth0 -j DNAT --to-destination 10.1.1.15:3389
    
    # Vytas namai
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33893 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Vytas RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33893 -i eth0 -j DNAT --to-destination 10.1.1.15:3389
    
    # Olga Butenta
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33893 -i eth0 -m limit --limit 1/minute -j LOG --log-level 6 --log-prefix "Jungiasi Olga RDP: "
    iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 33893 -i eth0 -j DNAT --to-destination 10.1.1.15:3389
    
    
    # SSH to Backup server (Slackware)
    # Vytas darbas
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 2222 -m state --state NEW -j LOG --log-level 6 --log-prefix "Varle: "
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 2222 -m state --state NEW -j DNAT --to-destination 10.1.1.16:22
    
    # Vytas namai
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 2222 -m state --state NEW -j LOG --log-level 6 --log-prefix "Jungiasi Vytas SSH: "
    # iptables -t nat -A PREROUTING -s <SOME-IP> -d <PUBLIC-IP> -p tcp -m tcp --dport 2222 -m state --state NEW -j DNAT --to-destination 10.1.1.16:22
    
    iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 22299 -m state --state NEW -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.16:22
    
    # Setup FORWARD rules
    # iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # iptables -A FORWARD -i eth0 -p tcp -m tcp -d 10.1.1.16 --dport 22 -m state --state NEW -j ACCEPT
    
    # Masquerading (should be used with dynamic public IP)
    # Masquerade connections from Altas main LAN
    # iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
    # Masquerade connections from Altas wireless LAN
    #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
    
    # NAT to public IP
    # NAT connections from Altas main LAN
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <PUBLIC-IP>
    # NAT connections from Altas wireless LAN
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source <PUBLIC-IP>

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •