Hi All,
I have just set up shorewall with the ''two-interfaces.tar.gz''
but I
can''t seem to ssh to any of my local servers. What do I need to add
to my /etc/shorewall/rules to allow me to ssh to say 192.168.10.12 ?
Thanks,
Matt
Here is my iptables output;
# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
131 20289 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
731 72671 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
499 60709 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
32 6036 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
33 5229 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 80 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
131 20289 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
851 56734 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
328 39648 fw2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
501 60816 common all -- * * 0.0.0.0/0 0.0.0.0/0
3 164 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
3 164 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
508 61432 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
3 144 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
192.168.10.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
33 5229 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
33 5229 loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
499 60709 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
499 60709 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
325 39484 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
3 164 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
835 55676 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
13 830 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:123
3 228 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:123
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
1 57 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:123
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:123
498 60652 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
24 4627 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
9 602 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
32 6036 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
23 3532 common all -- * * 0.0.0.0/0 0.0.0.0/0
10 2608 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
10 2608 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
707 69079 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:873
23 3532 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
32 6036 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
32 6036 net2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
731 72671 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
24 3592 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
731 72671 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
4 204 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
510 61536 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Are you trying to initiate the connection from out on the internet via ssh to a server running behind Shorewall? Can the local pc''s running ssh daemons get out to the internet via ssh or www? Did you make any changes to the default shorewall config files that Tom provides. If so then what specifically? To help in a more timely manner can you please cut and paste a copy of your shorewall files. zones masq nat policy rules interfaces Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
On Sun, 17 Aug 2003 00:16:42 -0700, Matthew Simpson <msimpson@market- research.com> wrote:> Hi All, > > I have just set up shorewall with the ''two-interfaces.tar.gz'' but I can''t > seem to ssh to any of my local servers. What do I need to add to my > /etc/shorewall/rules to allow me to ssh to say 192.168.10.12 ?Matt -- the Two-interface QuickStart Guide (http://shorewall.net/two- interface.htm) gives you all of the information you need to add the rule you need. Adding support for a new simple service like SSH should never warrent posting on the mailing list. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Joshua, I''m trying to initiate a ssh connection from the redhat 9 box that has the DSL and shorewall on it to another internal redhat box which is running sshd, from the loc lan i have no problems, but from inside the gw machine i get connection refused. I have followed the two-interface setup and still no go. Here are the config files requested. Any help would be great. zones: net Net Internet loc Local Local Networks masq: ppp0 eth0 nat: <empty> policy: loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROP info all all REJECT info rules: ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 ACCEPT fw net tcp 22 interfaces: net ppp0 - dhcp,routefilter,norfc1918 loc eth0 detect Thank, Matt>Are you trying to initiate the connection from out on the internet >via ssh to a server running >behind Shorewall? >Can the local pc''s running ssh daemons get out to the internet via ssh or www? > >Did you make any changes to the default shorewall config files that >Tom provides. If so then what >specifically? > >To help in a more timely manner can you please cut and paste a copy >of your shorewall files. > >zones >masq >nat >policy >rules >interfaces > >Thanks, >JBanks > > >__________________________________ >Do you Yahoo!? >The New Yahoo! Search - Faster. Easier. Bingo. >http://search.yahoo.com
Hey Matt, You posted:> policy: > loc net ACCEPT > # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > #fw net ACCEPT > net all DROP info > all all REJECT info> > rules: > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22 > ACCEPT fw net tcp 22It looks like all that you need is rule: ACCEPT fw loc tcp 22 Rules are parced first. If there isn''t a rule match then the policy''s are checked next. So in essence you could have a policy of loc to fw Accept fw to loc Accept But this would open up the whole range of ports in your case. It''s best to just specify/add the rule to the Shorewall "rules" file as I''ve shown above. Let the list know if this helps. In the future you can trouble shoot this easily by cd''ing to the /etc/shorewall directory and issuing the command "Shorewall logwatch". This will produce some logging if you have logging enabled, (which if being dropped or rejected is on by default if you haven''t messed with the default "policy file" settings). Let this run in one shell and then test the ssh connection. The logs will tell you 99% of the time why simple connections are being "droped" or "rejected" and which policy or rule is "droping or rejecting the connection" JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Hi Joshua,
Thanks for the help, this fixed my problem. I also have another
problem with my ssh tunneling script that I use to allow vnc access
to workstations, i use to beable to run this script from the fw and
then vnc to local machines from out side. How can i get this
working without setting up port forwarding? I tried adding
ACCEPT fw loc tcp 5900:5909
but this made no difference.
Heres the perl script
#!/usr/bin/perl
#
# Kwik script to allow for ssh tunnelling access
#
%hosts = (
''gandalf'',''01'',
''elron'',''02'',
);
$which = $ARGV[0];
$port = $hosts{$which};
print "Port to use is gon.example.com:$port, use ^D to close when
done\n";
die "Error: please tell me which machine to control\n" if $which eq
'''';
$cmd = "ssh -l root -g -L 59$port:$which:5900 gon.example.com";
`$cmd`;
Your help is greatly appreciated.
Matt
>Hey Matt,
>
>You posted:
>
>> policy:
>> loc net ACCEPT
>> # If you want open access to the Internet from your Firewall
>> # remove the comment from the following line.
>> #fw net ACCEPT
>> net all DROP info
>> all all REJECT info
>
>
>>
>> rules:
>> ACCEPT loc fw tcp 22
>> ACCEPT net fw tcp 22
>> ACCEPT fw net tcp 22
>
>It looks like all that you need is rule:
>
>ACCEPT fw loc tcp 22
>
>Rules are parced first. If there isn''t a rule match then the
>policy''s are checked next.
>
>So in essence you could have a policy of
>
>loc to fw Accept
>fw to loc Accept
>
>But this would open up the whole range of ports in your case.
>
>It''s best to just specify/add the rule to the Shorewall
"rules" file
>as I''ve shown above.
>
>Let the list know if this helps.
>
>In the future you can trouble shoot this easily by cd''ing to the
>/etc/shorewall directory and
>issuing the command "Shorewall logwatch". This will produce some
>logging if you have logging
>enabled, (which if being dropped or rejected is on by default if you
>haven''t messed with the
>default "policy file" settings).
>Let this run in one shell and then test the ssh connection. The logs
>will tell you 99% of the time
>why simple connections are being "droped" or "rejected"
and which
>policy or rule is "droping or
>rejecting the connection"
>
>JBanks
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo.
>http://search.yahoo.com
Hey Matt,You said:>Thanks for the help, this fixed my problem.I also have another problem with my ssh tunneling script that I use to allow vnc access to workstations, i use to beable to run this script from the fw and then vnc to local machines from out side. How can i get this working without setting up port forwarding? I tried addingACCEPT fw loc tcp 5900:5909but this made no difference.My response:> Matt, correct me if I''m wrong, what you''re saying is that from the internet your connecting to the firewall via ssh, then once authenticated via ssh, from the firewall you run a script that vnc''s from the firewall to local machines behind the firewall? If this is correct then,This is how I would troubling shoot this:First make sure that you have wide open communication in the Shorewall policy file: Accept loc" to "fw" and from "fw" to "loc". And make sure to log at the "info level" like:/etc/shorewall/policySOURCE: DESTINATION: POLICY: LOG LEVEL:fw loc ACCEPT infoloc fw ACCEPT infoStop using the Perl script for now. That could be what the problem is anyways. I''m just learning how to shell script so I''m the wrong person to ask when it comes to making sure a script is configured correctly.. :DWith these two policies in place you will have free flowing communication on all ports unless you have specific rules specified in the Shorewall "rules" file..Again....try you connection and at the same time have a shell running that is monitoring the logs by cd''ing to /ect/shorewall then the command: shorewall logwatchPlease verify wether or not I''m understanding your senario correctly from what I posted in the beging of this reply. When you get your logs from executing "shorewall logwatch", please cut and paste those to this email as well as a copy of your Shorewall "rules" and "policy" files.Make sure that in the future that your also replying to the list as well as individual emails for a m ore timely response. Allot of people use Shorewall so you''ll just be increasing your chances of getting this resolved quicker by adding shorewall-users@lists.shorewall.netAlso please see this FAQ about tunneling vnc through ssh..this should help as well or give you a different approach at possibly using vnc through ssh than how your currently doing it..http://www.uk.research.att.com/vnc/sshvnc.htmlThanks,JBanks --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo.
Resending this because my intial post was messy for some reason... --- Joshua Banks <l0f33t@yahoo.com> wrote:> Hey Matt,You said:> Thanks for the help, this fixed my problem.I also have another problem with my ssh tunneling script that I use to allow vnc access to workstations, i use to beable to run this script from the fw and then vnc to local machines from out side. How can i get this working without setting up port forwarding? I tried adding ACCEPT fw loc tcp 5900:5909 but this made no difference. My response:> Matt, correct me if I''m wrong,what you''re saying is that from the internet your connecting tothe firewall via ssh, then once authenticated via ssh, from the firewall you run a script that vnc''s from the firewall to local machines behind the firewall? If this is correct then, This is how I would troubling shootthis: First make sure that you have wide open communication in the Shorewall policy file: Accept loc" to "fw" and from "fw" to "loc". And make sure to log at the "info level"like: /etc/shorewall/policy SOURCE: DESTINATION: POLICY: LOG LEVEL: loc fw ACCEPT info fw loc ACCEPT info Stop using the Perl script for now. That could be what the problem is anyways. I''m just learning how to shell script so I''m the wrong person to ask when it comes to making sure a script is configured correctly.. :D With these two policies in place you will have free flowing communication on all ports in both directions unless you have specific rules specified in the Shorewall "rules" file..Again....try you connection and at the same time have a shell running that is monitoring the logs by cd''ing to /ect/shorewall then the command: shorewall logwatch Please verify wether or not I''m understanding your senario correctly from what I posted in the beging of this reply. When you get your logs from executing "shorewall logwatch", please cut and paste those to this email as well as a copy of your Shorewall "rules" and "policy" files.Make sure that in the future that your also replying to the list as well as individual emails for a more timely response. Allot of people use Shorewall so you''ll just be increasing your chances of getting this resolved quicker by adding shorewall-users@lists.shorewall.net Also please see this FAQ about tunneling vnc through ssh..this should help as well or give you a different approach at possibly using vnc through ssh than how your currently doing it..http://www.uk.research.att.com/vnc/sshvnc.htmlThanks,JBanks ---------------------------------> Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Matt, So you use to VNC from the outside in. Your script only encrypts your connection from your FW to your LOCAL boxes (in which case it doesn''t really do much for tunnelling SSH. Assuming I''m reading what your saying correctly). If this is your setup, Outside world machine -> Internet Connection -> FW -> Local Boxes (gandalf & elron) then if you wanted it to work the way you did before you''d add this line (for example): ACCEPT net fw tcp 5900:5909 HOWEVER you aren''t encrypted your traffic end to end. As such your only encrypting your traffic from your fw to your local boxes. A better setup would be to do the following setup Remote box has SSH on it. You tunnel local port 5900 (or whatever port ya want) to gandalf port 5900 and then make an SSH connection to gon. Open up your VNC viewer on your Remote box and point it to "localhost:1" and you''ll connect to gandalf. Same and if you did local port 5901 to elron 5900, then opened to localhost:2 (I think I have the right localhost:X where X is the number) This will encrypt from end to end then. Away ya go. ian Matthew Simpson wrote:> Hi Joshua, > > Thanks for the help, this fixed my problem. I also have another problem > with my ssh tunneling script that I use to allow vnc access to > workstations, i use to beable to run this script from the fw and then > vnc to local machines from out side. How can i get this working > without setting up port forwarding? I tried adding > > ACCEPT fw loc tcp 5900:5909 > > but this made no difference. > > > Heres the perl script > > #!/usr/bin/perl > # > # Kwik script to allow for ssh tunnelling access > # > %hosts = ( > ''gandalf'',''01'', > ''elron'',''02'', > ); > $which = $ARGV[0]; > $port = $hosts{$which}; > print "Port to use is gon.example.com:$port, use ^D to close when done\n"; > die "Error: please tell me which machine to control\n" if $which eq ''''; > $cmd = "ssh -l root -g -L 59$port:$which:5900 gon.example.com"; > `$cmd`;> > Your help is greatly appreciated. > > Matt > >> Hey Matt, >> >> You posted: >> >>> policy: >>> loc net ACCEPT >>> # If you want open access to the Internet from your Firewall >>> # remove the comment from the following line. >>> #fw net ACCEPT >>> net all DROP info >>> all all REJECT info >> >> >> >>> >>> rules: >>> ACCEPT loc fw tcp 22 >>> ACCEPT net fw tcp 22 >>> ACCEPT fw net tcp 22 >> >> >> It looks like all that you need is rule: >> >> ACCEPT fw loc tcp 22 >> >> Rules are parced first. If there isn''t a rule match then the policy''s >> are checked next. >> >> So in essence you could have a policy of >> >> loc to fw Accept >> fw to loc Accept >> >> But this would open up the whole range of ports in your case. >> >> It''s best to just specify/add the rule to the Shorewall "rules" file >> as I''ve shown above. >> >> Let the list know if this helps. >> >> In the future you can trouble shoot this easily by cd''ing to the >> /etc/shorewall directory and >> issuing the command "Shorewall logwatch". This will produce some >> logging if you have logging >> enabled, (which if being dropped or rejected is on by default if you >> haven''t messed with the >> default "policy file" settings). >> Let this run in one shell and then test the ssh connection. The logs >> will tell you 99% of the time >> why simple connections are being "droped" or "rejected" and which >> policy or rule is "droping or >> rejecting the connection" >> >> JBanks >> >> >> __________________________________ >> Do you Yahoo!? >> The New Yahoo! Search - Faster. Easier. Bingo. >> http://search.yahoo.com > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi Ian, Yes this is exactly what I am trying to achieve. As these Local boxes have Win2k installed on. They don''t have sshd on and the boss doesn''t want time spent on this. Would sshing from the fw to local linux box then ssh to port 5901 encrypt from end to end? Matt>Matt, > >So you use to VNC from the outside in. Your script only encrypts >your connection from your FW to your LOCAL boxes (in which case it >doesn''t really do much for tunnelling SSH. Assuming I''m reading what >your saying correctly). > >If this is your setup, > >Outside world machine -> Internet Connection -> FW -> Local Boxes >(gandalf & elron) > >then if you wanted it to work the way you did before you''d add this >line (for example): > >ACCEPT net fw tcp 5900:5909 > >HOWEVER you aren''t encrypted your traffic end to end. As such your >only encrypting your traffic from your fw to your local boxes. > >A better setup would be to do the following setup > >Remote box has SSH on it. You tunnel local port 5900 (or whatever >port ya want) to gandalf port 5900 and then make an SSH connection >to gon. Open up your VNC viewer on your Remote box and point it to >"localhost:1" and you''ll connect to gandalf. > >Same and if you did local port 5901 to elron 5900, then opened to localhost:2 > >(I think I have the right localhost:X where X is the number) > >This will encrypt from end to end then. > >Away ya go. > >ian > > > >Matthew Simpson wrote: > >>Hi Joshua, >> >>Thanks for the help, this fixed my problem. I also have another >>problem with my ssh tunneling script that I use to allow vnc access >>to workstations, i use to beable to run this script from the fw and >>then vnc to local machines from out side. How can i get this >>working without setting up port forwarding? I tried adding >> >>ACCEPT fw loc tcp 5900:5909 >> >>but this made no difference. >> >> >>Heres the perl script >> >>#!/usr/bin/perl >># >># Kwik script to allow for ssh tunnelling access >># >>%hosts = ( >> ''gandalf'',''01'', >> ''elron'',''02'', >> ); >>$which = $ARGV[0]; >>$port = $hosts{$which}; >>print "Port to use is gon.example.com:$port, use ^D to close when done\n"; >>die "Error: please tell me which machine to control\n" if $which eq ''''; >>$cmd = "ssh -l root -g -L 59$port:$which:5900 gon.example.com"; >>`$cmd`; > > > > > >> >>Your help is greatly appreciated. >> >>Matt >> >>>Hey Matt, >>> >>>You posted: >>> >>>> policy: >>>> loc net ACCEPT >>>> # If you want open access to the Internet from your Firewall >>>> # remove the comment from the following line. >>>> #fw net ACCEPT >>>> net all DROP info >>>> all all REJECT info >>> >>> >>> >>>> >>>> rules: >>>> ACCEPT loc fw tcp 22 >>>> ACCEPT net fw tcp 22 >>>> ACCEPT fw net tcp 22 >>> >>> >>>It looks like all that you need is rule: >>> >>>ACCEPT fw loc tcp 22 >>> >>>Rules are parced first. If there isn''t a rule match then the >>>policy''s are checked next. >>> >>>So in essence you could have a policy of >>> >>>loc to fw Accept >>>fw to loc Accept >>> >>>But this would open up the whole range of ports in your case. >>> >>>It''s best to just specify/add the rule to the Shorewall "rules" >>>file as I''ve shown above. >>> >>>Let the list know if this helps. >>> >>>In the future you can trouble shoot this easily by cd''ing to the >>>/etc/shorewall directory and >>>issuing the command "Shorewall logwatch". This will produce some >>>logging if you have logging >>>enabled, (which if being dropped or rejected is on by default if >>>you haven''t messed with the >>>default "policy file" settings). >>>Let this run in one shell and then test the ssh connection. The >>>logs will tell you 99% of the time >>>why simple connections are being "droped" or "rejected" and which >>>policy or rule is "droping or >>>rejecting the connection" >>> >>>JBanks >>> >>> >>>__________________________________ >>>Do you Yahoo!? >>>The New Yahoo! Search - Faster. Easier. Bingo. >>>http://search.yahoo.com >> >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>http://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm