Help - Search - Members - Calendar
Full Version: Iptables Issue?not Connecting Via Ssh From Outside
Linuxhelp > Support > Technical Support
mikepara
Hi,

i am using the following iptables script and cannot connect via SSH to my server. I am using puTTY to connect with ssh enabled.

Have also tried "pinging" the server and cannot get a reply (which in one respect can be a good thing). i can however ping back from the server to my remote computer which i am using to try and connect.

Any suggestions on how to modify to allow connection would be very much appreciated...or is there something I am doing wrong?

Thanks

Mike


#!/bin/sh
#
# Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# © of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this with due credits to
# BoingWorld.com
#
# Modified by Haim Dimer (haim at dimer dot org)
#
# To install under Redhat : ckconfig --add iptables
# To install under Debian : update-rc.d iptables defaults 21

# chkconfig specific parameters follow
# iptables:
# chkconfig: 2345 82 80
# description: starts or stops netfilter rules

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
# NOTE : even though I am lucky enough to have a static IP address on my
# interface connected to the Internet, this IP address is never
# mentionned anywhere. This way, if you connect to the Internet
# and receive a dynamic IP, you won't have to change to much stuff.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP_RANGE="192.168.0.0/24"
LAN_IP="192.168.0.1/32"
LAN_BCAST_ADRESS="192.168.0.255/32"
LOCALHOST_IP="127.0.0.1/32"
LOCALHOST_IFACE="lo"
INET_IFACE="eth1"
LAN_IFACE="eth0"
IPTABLES="/sbin/iptables"
ANYWHERE="0/0"
BROADCAST="255.255.255.255/32"

case "$1" in
start)
#
# CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo -n "Enabling IP Forwarding ... "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "done."

# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
#
# echo -n "Enabling dynamic IP addressing ... "
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "done."

#
# The allowed chain for TCP connections (tcp_allowed)
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.
echo -n "Creating tcp_allowed chain ... "
$IPTABLES -N tcp_allowed
$IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -j DROP
echo "done."

#
# Destination Network Address Translation.
# If you don't know what it is, just comment the lines.
#
# 1 - We want all traffic coming to port 4200 to be redirected to an ssh server
# inside our network.
# 2 - We allow this very traffic to pass the FORWARD chain.
#
# Then we use the same techique to redirect www (port 80) requests to our internal
# web server on port 80.
#
# NOTE : Do not forget to enable the port you want your clients to come into on the firewall
# In this case, it's port number 4200 and 80. Enabling this port is done at the INPUT
# chain level.
# Of course, you can replace 4200 with anything you want. I suggest you use a non
# assigned port though :-)
#
echo -n "Setting up DNAT ... "
SSH_SERVER="192.168.0.1"
SSH_PORT="22"
$IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE -s $ANYWHERE -j DNAT --to $SSH_SERVER:$SSH_PORT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $SSH_SERVER -p tcp --dport $SSH_PORT -j tcp_allowed
IPSEC_SERVER="192.168.0.1"
$IPTABLES -A PREROUTING -t nat -p udp -i $INET_IFACE --dport 500 -j DNAT --to $IPSEC_SERVER:500
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $IPSEC_SERVER -p udp --dport 500 -j tcp_allowed
$IPTABLES -A PREROUTING -t nat -p 50 -i $INET_IFACE -j DNAT --to $IPSEC_SERVER
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $IPSEC_SERVER -p 50 -j tcp_allowed
echo "done."

# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on $LAN_IFACE, and the Internet is on $INET_IFACE.
#
# 1 - We masquerade at the 'nat' table, POSTROUTING chain if and only if:
# * It comes from our LAN
# * It goes out through our Internet interface.
# 2 - We ACCEPT to FORWARD if :
# * It goes through our LAN interface ... or ...
# * The connection is in a state ESTABLISHED or RELATED
# 3 - We LOG the rest.
echo -n "Setting up FORWARD chain and MASQUERADE ... "
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG
--log-level DEBUG --log-prefix "FORWARD : "
echo "done."

#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
# Guess what? We DROP everything by default!
echo -n "Setting up default policies ... "
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo "done."

#
# Create separate chains for ICMP, TCP and UDP to traverse
#
echo -n "Creating ICMP, TCP and UDP accepting chains ... "
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
echo "done."

#
# ICMP rules
#
echo -n "Setting up icmp_packets chain ... "
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 11 -j ACCEPT
echo "done."
#
# TCP rules
#
# Allow ssh and smtp.
# Allow 4200 for forwarding.
#
# We also allow port 113 (auth a.k.a. ident). Even if you don't have
# a ident server, I suggest you leave that port open. It will speed
# things up. For more info, visit
# http://www.amaranth.com/cgi/showport.cgi?p...ot=tcp&port=113
echo -n "Setting up tcp_packets chain ... "
$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 22 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 2003 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 143 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 110 -j tcp_allowed
$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 9600 -j tcp_allowed
$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 113 -j tcp_allowed
$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 6699 -j tcp_allowed
echo "done."

#
# UDP ports
#
# Allow DHCP
#
# Uncomment the following 2 lines if you are running a DNS server on your firewall
# $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 53 -j ACCEPT
# $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --destination-port 53 -j ACCEPT
echo -n "Setting up udp_packets... "
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 500 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 4500 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 67 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 68 -j ACCEPT
echo "done."

#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's coming to our Internet
# interface
#
echo -n "Blocking private networks ... "
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
echo "done."


#
# INPUT chain
#
# 1 - We associate each protocol to its own chain in the
# following order:
# * ICMP -> icmp_packets
# * TCP -> tcp_packets
# * UDP -> udp_packets
# 2 - We ACCEPT a packet in the following conditions:
# * It's part of a RELATED or ESTABLISHED connection
# * It comes from our LAN interface and goes to our LAN broadcast
# address
# * It comes from our LAN interface and goes to the 255.255.255.255
# broadcast address (usefull if you have a DHCP server on your fw)
# * It's destination is our localhost (127.0.0.1)
# * It's destination is our LAN ip address.
echo -n "Associating packet types with their chains ... "
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p 50 -i $INET_IFACE -j ACCEPT

echo "done."

echo -n "Setting up the INPUT chain ... "
$IPTABLES -A INPUT -i $INET_IFACE -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $BROADCAST -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOCALHOST_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG
--log-level DEBUG --log-prefix "INPUT : "
echo "done."

#
# OUTPUT chain
#
# The idea is to accept everything, even though the default
# policy of the OUTPUT chain is DROP. Basically, if a packet
# doesn't pass the OUTPUT chain, there is something *serious*
# going on.
#
# 1 - ACCEPT all packets coming from localhost
# 2 - ACCEPT all packets coming from our LAN ip address
# 3 - ACCEPT all packets going to localhost
# 4 - ACCEPT all packets going to our LAN ip address
# 5 - ACCEPT all packets going through our Internet interface

echo -n "Setting up OUTPUT chain ... "
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LOCALHOST_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG
--log-level DEBUG --log-prefix "OUTPUT : "
echo "done."
;;
stop)
# Flush all rules
echo -n "Flushing all rules ... "
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X
echo "done."
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -nL
;;
*)
echo "usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
---------------------------------------------------------------------------------------------------------------------------------------------
And this is the output from iptables-save command.......
---------------------------------------------------------------------------------------------------------------------------------------------
[root@localhost root]# iptables-save
# Generated by iptables-save v1.2.7a on Thu Jan 15 15:36:28 2004
*nat
:PREROUTING ACCEPT [5:240]
:POSTROUTING ACCEPT [49:2940]
:OUTPUT ACCEPT [49:2940]
-A PREROUTING -i eth1 -p tcp -j DNAT --to-destination 192.168.0.1:22
-A PREROUTING -i eth1 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.0.1:500
-A PREROUTING -i eth1 -p esp -j DNAT --to-destination 192.168.0.1
-A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP
-A PREROUTING -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP
-A PREROUTING -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Jan 15 15:36:28 2004
# Generated by iptables-save v1.2.7a on Thu Jan 15 15:36:28 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]
:tcp_allowed - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -i eth1 -p icmp -j icmp_packets
-A INPUT -i eth1 -p tcp -j tcp_packets
-A INPUT -i eth1 -p udp -j udp_packets
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 192.168.0.255 -i eth0 -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.1 -j ACCEPT
-A INPUT -d 192.168.0.1 -j ACCEPT
-A INPUT -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "INPUT : " --log-level 7
-A FORWARD -d 192.168.0.1 -i eth1 -o eth0 -p tcp -m tcp --dport 22 -j tcp_allowed
-A FORWARD -d 192.168.0.1 -i eth1 -o eth0 -p udp -m udp --dport 500 -j tcp_allowed
-A FORWARD -d 192.168.0.1 -i eth1 -o eth0 -p esp -j tcp_allowed
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "FORWARD : " --log-level 7
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -d 192.168.0.1 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m limit --limit 10/min --limit-burst 10 -j LOG --log-prefix "OUTPUT : " --log-level 7
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 5 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A tcp_allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tcp_allowed -p tcp -j DROP
-A tcp_packets -p tcp -m tcp --dport 22 -j tcp_allowed
-A tcp_packets -p tcp -m tcp --dport 9600 -j tcp_allowed
-A tcp_packets -p tcp -m tcp --dport 113 -j tcp_allowed
-A tcp_packets -p tcp -m tcp --dport 6699 -j tcp_allowed
-A udp_packets -p udp -m udp --sport 500 -j ACCEPT
-A udp_packets -p udp -m udp --sport 4500 -j ACCEPT
-A udp_packets -p udp -m udp --sport 67 -j ACCEPT
-A udp_packets -p udp -m udp --sport 68 -j ACCEPT
COMMIT
# Completed on Thu Jan 15 15:36:28 2004
hughesjr
I think this:

CODE
$IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE -s $ANYWHERE -j DNAT --to $SSH_SERVER:$SSH_PORT


Needs to be this:

CODE
$IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE -s $ANYWHERE --dport 22 -j DNAT --to $SSH_SERVER:$SSH_PORT


...that will route any traffic on port 22 of the outside interface to port 22 of 192.168.0.1 ... if that is what you are trying to accomplish. The IP address you should use to get in on is the external IP (the ip address of eth1).
---------------------------
If you are not using IPSEC connections into your network from outside then I recommend you remark out these lines (with a # infront of them):

CODE
IPSEC_SERVER="192.168.0.1"
$IPTABLES -A PREROUTING -t nat -p udp -i $INET_IFACE --dport 500 -j DNAT --to $IPSEC_SERVER:500
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $IPSEC_SERVER -p udp --dport 500 -j tcp_allowed
$IPTABLES -A PREROUTING -t nat -p 50 -i $INET_IFACE -j DNAT --to $IPSEC_SERVER
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $IPSEC_SERVER -p 50 -j tcp_allowed
mikepara
Thanks HJR..ill try it out tommorow and post the results..

Mike
mikepara
No luck unfortunatly..

I can connect internally using putty/ssh however when I come from outside I cant get a connection...
Internet and MASQ is running fine.

Setup is as follows:


ADSL MODEM FIXED IP xx.xx.xx.50 ----------->Linux Box FIXED IP EXTERNAL xx.xx.xx.49, INTERNAL 192.168.0.1----------------->Hub (with 4 comps connected)



I try to connect to xx.xx.xx.49 from outside - no go. Works ok internally

Should i disable the the firewall completly just to test the route? Is so how?

Thanks..

Mike
hughesjr
If you use the command:

iptables -F

That should flush all chains ... then the command:

iptables -L

should show this (all chains are empty):

CODE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
mikepara
After Iptables -F

then

Iptables -L

This is what i get..


Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

Chain icmp_packets (0 references)
target prot opt source destination

Chain tcp_allowed (0 references)
target prot opt source destination

Chain tcp_packets (0 references)
target prot opt source destination

Chain udp_packets (0 references)
target prot opt source destination


Does this mean all packets are dropped and not accepted for Input/Forward/Output rules?

Rgds

Mike
hughesjr
It means that there are no firewall rules ... so ALL packets should be accepted .... however there will be no forwarding or IPMASQ going on in that mode. (So your PCs inside can't get out and no one can get in ... you internal PC's can't see the external card and external PCs can'r see the internal card).

This should allow you to connect to the external IP with SSH from the outside (if you don't have it set to only listen on the internal interface).

This will rule out any ISP or other connection problems and tell you that the problem is your firewall settings....

To make sure what interface you are listening on for SSH, do this command:

netstat -an | grep LISTEN | grep 22 | grep tcp

you should see a line similar to this:

CODE
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN


I am listening on 0.0.0.0:22 which is all interfaces (which is the default) ... if you only want to listen on a particular interface particular interface, edit the file:

/etc/ssh/sshd_config

and change the line:

#ListenAddress 0.0.0.0

to:

ListenAddress xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the address you want to listen on...
-------------------
After you are sure that works, you can forward all port 22 traffic from external to the internal address ... or just open port 22 on the external address...

However, there may be another firewall blocking port 22 between the external PC and you ... in which case, your ruleset is OK and the problem is external.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.