Skip to main content

Thread: iptables and ssh

-

im having issues getting iptables allow inbound connection ssh. have port forwarding enabled on router, , can access machine via ssh when iptables stopped.

rule used allow connection is:
code:
iptables -a open -p tcp --dport 26 -j accept
i have sshd setup use port 26 rather port 22. in local network setting, cannot connection.

/etc/ssh/ssh_config follows:
code:
#	$openbsd: ssh_config,v 1.25 2009/02/17 01:28:32 djm exp $  # ssh client system-wide configuration file.  see # ssh_config(5) more information.  file provides defaults # users, , values can changed in per-user configuration files # or on command line.  # configuration data parsed follows: #  1. command line options #  2. user-specific file #  3. system-wide file # configuration value changed first time set. # thus, host-specific definitions should @ beginning of # configuration file, , defaults @ end.  # site-wide defaults commonly used options.  comprehensive # list of available options, meanings , defaults, please see # ssh_config(5) man page.  host * #   forwardagent no #   forwardx11 no #   rhostsrsaauthentication no #   rsaauthentication yes #   passwordauthentication yes #   hostbasedauthentication no #   gssapiauthentication no #   gssapidelegatecredentials no #   batchmode no #   checkhostip yes #   addressfamily #   connecttimeout 0 #   stricthostkeychecking ask #   identityfile ~/.ssh/identity #   identityfile ~/.ssh/id_rsa #   identityfile ~/.ssh/id_dsa    port 26    protocol 2 #   cipher 3des #   ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc #   macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 #   escapechar ~ #   tunnel no #   tunneldevice any:any #   permitlocalcommand no #   visualhostkey no hashknownhosts yes stricthostkeychecking ask
and /etc/ssh/sshd_config:
code:
#	$openbsd: sshd_config,v 1.80 2008/07/02 02:24:18 djm exp $  # sshd server system-wide configuration file.  see # sshd_config(5) more information.  # sshd compiled path=/usr/bin:/bin:/usr/sbin:/sbin  # strategy used options in default sshd_config shipped # openssh specify options default value # possible, leave them commented.  uncommented options change # default value.  port 26 #addressfamily listenaddress 0.0.0.0 #listenaddress ::  # disable legacy (protocol version 1) support in server new # installations. in future default change require explicit # activation of protocol 1 protocol 2  # hostkey protocol version 1 #hostkey /etc/ssh/ssh_host_key # hostkeys protocol version 2 #hostkey /etc/ssh/ssh_host_rsa_key #hostkey /etc/ssh/ssh_host_dsa_key  # lifetime , size of ephemeral version 1 server key #keyregenerationinterval 1h #serverkeybits 1024  # logging # obsoletes quietmode , fascistlogging #syslogfacility auth #loglevel info  # authentication:  #logingracetime 120 #permitrootlogin no #strictmodes yes #maxauthtries 6 #maxsessions 10  #rsaauthentication yes #pubkeyauthentication yes #authorizedkeysfile	.ssh/authorized_keys  # work need host keys in /etc/ssh/ssh_known_hosts #rhostsrsaauthentication no # similar protocol version 2 #hostbasedauthentication no # change yes if don't trust ~/.ssh/known_hosts # rhostsrsaauthentication , hostbasedauthentication #ignoreuserknownhosts no # don't read user's ~/.rhosts , ~/.shosts files #ignorerhosts yes  # disable tunneled clear text passwords, change no here! passwordauthentication yes #permitemptypasswords no  # change no disable s/key passwords challengeresponseauthentication no  # kerberos options #kerberosauthentication no #kerberosorlocalpasswd yes #kerberosticketcleanup yes #kerberosgetafstoken no  # gssapi options #gssapiauthentication no #gssapicleanupcredentials yes  # set 'yes' enable pam authentication, account processing,  # , session processing. if enabled, pam authentication  # allowed through challengeresponseauthentication , # passwordauthentication.  depending on pam configuration, # pam authentication via challengeresponseauthentication may bypass # setting of "permitrootlogin without-password". # if want pam account , session checks run without # pam authentication, enable set passwordauthentication # , challengeresponseauthentication 'no'. usepam yes  #allowagentforwarding yes #allowtcpforwarding yes #gatewayports no #x11forwarding no #x11displayoffset 10 #x11uselocalhost yes #printmotd yes #printlastlog yes #tcpkeepalive yes #uselogin no #useprivilegeseparation yes #permituserenvironment no #compression delayed #clientaliveinterval 0 #clientalivecountmax 3 #usedns yes #pidfile /var/run/sshd.pid #maxstartups 10 #permittunnel no #chrootdirectory none  # no default banner path banner /etc/issue  # override default of no subsystems subsystem	sftp	/usr/lib/ssh/sftp-server  # example of overriding settings on per-user basis #match user anoncvs #	x11forwarding no #	allowtcpforwarding no #	forcecommand cvs server allowusers    username (i have username here)
and printout iptables -nvl. when setup iptables didnt realize setup rules interfaces, set rules each interface individually:
code:
chain input (policy drop 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination              0     0 drop       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 18      0     0 drop       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 17      0     0 drop       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 10      0     0 drop       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9      0     0 drop       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9      0     0 drop       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5      0     0 drop        --  wlan0  *       127.0.0.0/8          0.0.0.0/0                0     0 drop        --  eth1   *       127.0.0.0/8          0.0.0.0/0                0     0 drop        --  eth0   *       127.0.0.0/8          0.0.0.0/0                0     0 drop        --  wlan0  *       192.168.0.0/16       0.0.0.0/0                0     0 drop        --  eth1   *       192.168.0.0/16       0.0.0.0/0                0     0 drop        --  eth0   *       192.168.0.0/16       0.0.0.0/0                0     0 drop        --  eth1   *       172.16.0.0/12        0.0.0.0/0                0     0 drop        --  wlan0  *       172.16.0.0/12        0.0.0.0/0                0     0 drop        --  eth0   *       172.16.0.0/12        0.0.0.0/0                0     0 drop        --  wlan0  *       10.0.0.0/8           0.0.0.0/0                0     0 drop        --  eth1   *       10.0.0.0/8           0.0.0.0/0                0     0 drop        --  eth0   *       10.0.0.0/8           0.0.0.0/0                0     0 accept     icmp --  *      *       0.0.0.0/0            0.0.0.0/0               71 58876 accept      --  *      *       0.0.0.0/0            0.0.0.0/0           state related,established      0     0 interfaces   --  *      *       0.0.0.0/0            0.0.0.0/0                0     0 open        --  *      *       0.0.0.0/0            0.0.0.0/0                0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset      0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable      0     0 drop       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state new      0     0 drop        -f  *      *       0.0.0.0/0            0.0.0.0/0                0     0 drop       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3f/0x3f      0     0 drop       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3f/0x00      0     0 drop       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 8      0     0 drop       icmp --  eth1   *       0.0.0.0/0            0.0.0.0/0           icmp type 8      0     0 drop       icmp --  wlan0  *       0.0.0.0/0            0.0.0.0/0           icmp type 8      0     0 accept     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:26   chain forward (policy drop 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination           chain output (policy accept 30 packets, 1236 bytes)  pkts bytes target     prot opt in     out     source               destination           chain interfaces (1 references)  pkts bytes target     prot opt in     out     source               destination              0     0 accept      --  lo     *       0.0.0.0/0            0.0.0.0/0             chain open (1 references)  pkts bytes target     prot opt in     out     source               destination              0     0 accept     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80      0     0 accept     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80      0     0 accept     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80      0     0 accept     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80      0     0 accept     tcp  --  foo    *       0.0.0.0/0            0.0.0.0/0           tcp dpts:65000:65005      0     0 accept     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           tcp dpts:65000:65005      0     0 accept     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:65000:65005      0     0 accept     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:65000:65005      0     0 accept     udp  --  foo    *       0.0.0.0/0            0.0.0.0/0           udp dpts:65000:65005      0     0 accept     udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           udp dpts:65000:65005      0     0 accept     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpts:65000:65005      0     0 accept     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpts:65000:65005      0     0 accept     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:26
any ideas, or criticisms of setup welcome

i randomly came across question while googling solve own iptables questions, , seeing week old thought i'd have stab @ fixing problem.

try instead (substitute 'open' 'input'):

code:
iptables -a input -p tcp --dport 26 -j accept
...and might things working you.


Forum The Ubuntu Forum Community Ubuntu Official Flavours Support Networking & Wireless [ubuntu] iptables and ssh


Ubuntu

Comments

Post a Comment

Popular posts from this blog

opencv3, tbb and rasp pi 2 - Raspberry Pi Forums

-
Image
has installed opencv 3.0.0 tbb enabled on latest rasperian on pi 2? followed guide here viewtopic.php?f=28&t=110025&p=761255&hi ... v3#p761255 differences made enable tbb via cmake... added build , tbb options shown.. cmake -d cmake_build_type=release -d build_tbb=on -d with_tbb=on -d cmake_install_prefix=$(python3 -c "import sys; print(sys.prefix)") -d python_executable=$(which python3) .. patched current, dependencies installed far can tell.. cmake reports going install , old version of tbb... -- use tbb: yes (ver 4.1 interface 6102) make process fails linking problem don't understand fully, [ 66%] built target opencv_features2d scanning dependencies of target opencv_test_flann ../../lib/libopencv_imgproc.so.3.0.0: undefined reference `tbb::task_group_context::cancel_group_execution()' ../../lib/libopencv_imgproc.so.3.0.0: undefined reference `tbb::interface5::internal::task_base::destroy(tbb::task&)...
Read more

small ethernet problem - Raspberry Pi Forums

-
hello, after conventional installation raspbian noobs v 1.4 raspberry pi 2 . how can configure internet connection on raspberry me download apt. (my ethernet cable connected directly ethernet switch (i'm @ university)) attached configuration of pc internet connection. http://i.imgur.com/budyoeb.jpg thank much, google configuring rpi static ip address. use same ip numbers see on pc. not try have both pc , rpi connected network @ same time. raspberrypi
Read more

Multithumb configuration params not working? - Joomla! Forum - community, help and support

-
hi, i've installed multithumb 1.1 on joomla 1.011 site , works fine in basic set-up (and jce-editor). except when try tweaking mambot params, things stop working. specifically: if use "only in these categories" setting , fill in categoryname, e.g. "news", pop-ups/thumbnails stop working, categories, including "news". if use "not in these categories" these categories still use pop-ups. if select "use thumbnails" "no" not no thumbnails no pop-ups anymore. so way use multithumb selectively use optioni "apply content {multithumb}", bit cumbersome. there more people having these issues? hi bikey, i having issues bit different - yet same.  saying have way set configuration plug-in.  not know how find cong this.  if can maybe read posting - don't bore process.  jce editor - have not installed - still using default html editor - cant recall name.  why not see config file? anyway - find if use static page , pass com...
Read more