Joshua Banks
2003-Aug-18 12:32 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
I''m trying to allow ssh access to the firewall from a connection that originates from the internet. Running the latest shorewall. My external interface is ppp0 so the ip is dynamic. I thought that adding this rule would be sufficient: DNAT net loc:192.168.1.1 tcp 22 "just as a test.." the connection gets denied: Why? Aug 18 12:13:18 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 PREC=0x00 TTL=48 ID=60927 DF PROTO=TCP SPT=34653 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 12:13:30 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 PREC=0x00 TTL=48 ID=60928 DF PROTO=TCP SPT=34653 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 12:13:54 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 PREC=0x00 TTL=48 ID=60929 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 18 12:14:42 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 PREC=0x00 TTL=48 ID=60930 DF PROTO=TCP SPT=34655 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Cal Evans
2003-Aug-18 12:38 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
Here''s how I do it. In my rules file I have: # # Accept SSH connections from anywhere for administration # ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 This allows me ssh to the firewall from either inside or outside of my network. =Cp.s. I believe this was part of the standard 2 interfaces configuration example. * * Cal Evans * http://www.eicc.com * We build IT solutions * Joshua Banks said:> I''m trying to allow ssh access to the firewall from a connection that > originates from the > internet. > > Running the latest shorewall. > > My external interface is ppp0 so the ip is dynamic. > > I thought that adding this rule would be sufficient: > > DNAT net loc:192.168.1.1 tcp 22 "just as a test.." > > the connection gets denied: Why? > > Aug 18 12:13:18 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 > DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60927 DF PROTO=TCP SPT=34653 DPT=22 WINDOW=5840 > RES=0x00 SYN URGP=0 > Aug 18 12:13:30 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 > DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60928 DF PROTO=TCP SPT=34653 DPT=22 WINDOW=5840 > RES=0x00 SYN URGP=0 > Aug 18 12:13:54 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 > DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60929 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 > RES=0x00 SYN URGP=0 > Aug 18 12:14:42 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 > DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60930 DF PROTO=TCP SPT=34655 DPT=22 WINDOW=5840 > RES=0x00 SYN URGP=0 > > Thanks, > JBanks > > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Tom Eastep
2003-Aug-18 12:52 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 2003-08-18 at 12:36, Cal Evans wrote:> Here''s how I do it. In my rules file I have: > # > # Accept SSH connections from anywhere for administration > # > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22 > > This allows me ssh to the firewall from either inside or outside of my > network. > > =C> p.s. I believe this was part of the standard 2 interfaces configuration > example.Yep -- the first rule is part of the two-interface sample configuration and the second one is straight from http://shorewall.net/two-interface.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks
2003-Aug-18 13:29 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
> # > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22But the whole point is that I don''t what the whole internet allowed to the firewall via ssh password protected or not. I know what ip that I''m coming from and this is what I did in the rules file. DNAT net:208.146.43.22 loc:192.168.1.1 tcp 22 still rejected.. NETtoALL... IF I add: ACCEPT net fw tcp 22 then all is well. I only want to allow connections from one ip.. what do I need to do that? Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Patrick Benson
2003-Aug-18 13:58 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
Joshua Banks wrote:> > I''m trying to allow ssh access to the firewall from a connection that originates from the > internet. > > Running the latest shorewall. > > My external interface is ppp0 so the ip is dynamic. > > I thought that adding this rule would be sufficient: > > DNAT net loc:192.168.1.1 tcp 22 "just as a test.." > > the connection gets denied: Why? > > Aug 18 12:13:18 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60927 DF PROTO=TCP SPT=34653 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > Aug 18 12:13:30 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60928 DF PROTO=TCP SPT=34653 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > Aug 18 12:13:54 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60929 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > Aug 18 12:14:42 net2all:DROP:IN=ppp0 OUT= SRC=208.146.43.22 DST=192.168.1.1 LEN=60 TOS=0x10 > PREC=0x00 TTL=48 ID=60930 DF PROTO=TCP SPT=34655 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0Well, I may be wrong, Joshua but something looks fishy to me with your OUT= in the log, there''s no MAC address listed there. Since your rule *should* allow that traffic in and yet gets denied, maybe there''s something wrong with your loc configuration? -- Patrick Benson Stockholm, Sweden
Tom Eastep
2003-Aug-18 14:06 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 2003-08-18 at 13:29, Joshua Banks wrote:> > # > > ACCEPT loc fw tcp 22 > > ACCEPT net fw tcp 22 > > > But the whole point is that I don''t what the whole internet allowed to the firewall via ssh > password protected or not. > > I know what ip that I''m coming from and this is what I did in the rules file. > DNAT net:208.146.43.22 loc:192.168.1.1 tcp 22 >Yes -- but that rule doesn''t make any sense. You need to qualify the net zone in the CORRECT rule. FAQ #24 covers your situation exactly! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks
2003-Aug-18 14:24 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
Ok... So, according to FAQ 24 (sorry Tom) (I thought that I needed a DNAT rule to port forward connections from the internet).,,all that I need to do is to allow incoming ssh connections to my firewall from ip address 208.146.43.22 is: ACCEPT net:208.146.43.22 fw tcp 22 I''m unable to test this now but is this correct then Tom? Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-18 14:32 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 2003-08-18 at 14:24, Joshua Banks wrote:> Ok... > > So, according to FAQ 24 (sorry Tom) (I thought that I needed a DNAT rule to port forward > connections from the internet)You need a DNAT rule to port forward to an RFC1918 network behind your firewall but not to the firewall itself.> .,,all that I need to do is to allow incoming ssh connections to my > firewall from ip address 208.146.43.22 is: > > ACCEPT net:208.146.43.22 fw tcp 22 > > I''m unable to test this now but is this correct then Tom? >Yes -- I try not to place inaccurate information in the FAQ answers. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks
2003-Aug-18 14:48 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
Thanks, Ok..so then if I wanted to have someone/host ip, ssh to the FW and to a rfc1918 address behind the firewall (192.168.1.254) then my rules would look like this: ACCEPT net:208.146.43.22 fw tcp 22 DNAT net:208.146.43.22 loc:192.168.1.254 tcp 22 or will this conflict if they are trying to initially connect to the .254 address and the first rule is as above? This is very kewl.....I guess the only draw back is that my ppp0 ip address changes everytime that I dialup. So I have to give out the new address if I want to ssh from the outside. Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-18 14:54 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 2003-08-18 at 14:48, Joshua Banks wrote:> Thanks, > > Ok..so then if I wanted to have someone/host ip, ssh to the FW and to a rfc1918 address behind the > firewall (192.168.1.254) then my rules would look like this: > > ACCEPT net:208.146.43.22 fw tcp 22 > DNAT net:208.146.43.22 loc:192.168.1.254 tcp 22 > > or will this conflict if they are trying to initially connect to the .254 address and the first > rule is as above?You would have to use a different port as in: DNAT net:208.146.43.22 loc:192.168.1.254 tcp 10022 Then connect to port 10022 rather than port 22.> > > This is very kewl.....I guess the only draw back is that my ppp0 ip address changes everytime that > I dialup. So I have to give out the new address if I want to ssh from the outside. >Or subscribe to one of the dynamic DNS services like dyndns.org. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks
2003-Aug-18 15:47 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
Tom said:>You would have to use a different port as in:>DNAT net:208.146.43.22 loc:192.168.1.254 tcp 10022>Then connect to port 10022 rather than port 22.Could I also do this with the same effect and just have the fw redirect to .254 on port 22?: DNAT net:208.146.43.22 loc:192.168.1.254:22 tcp 1022 ??? Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-18 15:51 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 2003-08-18 at 15:47, Joshua Banks wrote:> Tom said: > > >You would have to use a different port as in: > > >DNAT net:208.146.43.22 loc:192.168.1.254 tcp 10022 > > >Then connect to port 10022 rather than port 22. > > Could I also do this with the same effect and just have the fw redirect to .254 on port 22?: > DNAT net:208.146.43.22 loc:192.168.1.254:22 tcp 1022 ??? >Yes -- in fact, that''s what I intended to write in the first place :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks
2003-Aug-18 15:54 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
--- Tom Eastep <teastep@shorewall.net> wrote:> Yes -- in fact, that''s what I intended to write in the first place :-)Geat...Thanks Tom. JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Joshua Banks
2003-Aug-18 16:03 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
Oh ya, Tom, where in the Shorewall documentation does it specify that when needing to connect directly from the internet, via whatever port, to the FW itself that you don''t use DNAT or port forwarding. When I need to configure shorewall for whatever needs I always usually go right to the Documentation link and FAQ''s. I don''t see this mentioned yet anywhere. I just assumed that this was related to port forwarding so I immediately went righ to the DNAT section in the documentation. Thanks, JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-18 16:43 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 18 Aug 2003, Joshua Banks wrote:> > Oh ya, > > Tom, where in the Shorewall documentation does it specify that when needing to connect directly > from the internet, via whatever port, to the FW itself that you don''t use DNAT or port forwarding. > When I need to configure shorewall for whatever needs I always usually go right to the > Documentation link and FAQ''s. I don''t see this mentioned yet anywhere. I just assumed that this > was related to port forwarding so I immediately went righ to the DNAT section in the > documentation. > >This is covered in the two-interface and three-interface QuickStart Guides and in the Setup Guide. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-18 16:51 UTC
[Shorewall-users] ppp0 and forwarding ssh to the firewall...?
On Mon, 18 Aug 2003, Tom Eastep wrote:> > This is covered in the two-interface and three-interface QuickStart Guides > and in the Setup Guide. >Also the first example in the rules file included in the two-interface Sample configuration seems pretty clear. -Tom Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net