# ssh probs

## Lasitus

Hello,

I have created firewall rules that allow ssh for forward, input, and output tables and have started sshd without a hitch.  I am still having a problem connecting to it internally still though.  Have I missed a step here?

Also, one other question while I am messing with my firewall.  I have set up IP Masq and have found I need this line for it to work:

/sbin/iptables -A FORWARD -i eth0 -j ACCEPT

This doesn't blow a big hole in my security does it?  It does seem to be limited though, since I had to allow 5190 for AIM to function.

Thanks,

Lasitus

----------

## BackSeat

 *Lasitus wrote:*   

> I am still having a problem connecting to it internally still though.

 What problem, exactly?

BS

----------

## Lasitus

It times out when connecting to it.  I never get to the logon screen in PuTTY.

----------

## klieber

 *Lasitus wrote:*   

> I have created firewall rules that allow ssh for forward, input, and output tables and have started sshd without a hitch.  I am still having a problem connecting to it internally still though.  Have I missed a step here?

 

Probably.  What do your log files say about the failed connection attempt?      Either something about iptables (likely) or sshd (less likely)

 *Lasitus wrote:*   

> /sbin/iptables -A FORWARD -i eth0 -j ACCEPT
> 
> This doesn't blow a big hole in my security does it?

 

Um...sort of.  This rule allows any traffic that comes in on eth0 (presumably your external interface) to be forwarded on without restriction.  Depending on what your other rules are, this could be a big problem, indeed.

Might want to look at the IPTables tutorial to get an understanding for how different tables work and interoperate with one another.

--kurt

----------

## Lasitus

ok, thanks for the reply.  I will mess with the firewall settings a bit more, though I don't know what else could be done to open ssh.  (I opened it in all the tables.)  I will read the link you sent.

One more question about iptables.  (I have read many posts and articles about iptables but still don't know the answer to this.)

If I first set the default rule to drop all, second make rules on what can be let through, and three forward all incomming connections from eth0 (yes it is external) will this be limited by my previous rules or will the use of -j ACCEPT allow everything to be forwarded?

----------

## Lasitus

Update:

I tried ssh localhost and received this:

SSH:  localhost:  Name or service not known

I have sshd running and in the default startup.  This takes my firewall out of the picture...

----------

## lx

Do you have localhost set in /etc/hosts?

127.0.0.1 localhost

10. ....

Cya lX.

Ps:try ssh 127.0.0.1 or even telnet 127.0.0.1 22

----------

## Lasitus

 *lx wrote:*   

> Do you have localhost set in /etc/hosts?

 

Yes

 *lx wrote:*   

> Ps:try ssh 127.0.0.1 or even telnet 127.0.0.1 22

 

Same result

----------

## Lasitus

 *Quote:*   

> Probably.  What do your log files say about the failed connection attempt?      Either something about iptables (likely) or sshd (less likely)

 

I am a newbie and don't know where these are.  Could you enlighten me?

----------

## lx

Try netstat (package net-tools)

```
netstat -l | grep ssh
```

 *Quote:*   

> tcp        0      0 *:ssh                   *:*                     LISTEN      

 

Do you have ListenAddress / Port set in /etc/ssh/sshd.conf?

maybe you could also try to drop iptables rulez, just to check they aren't causing trouble (unlikely for local):

```
/sbin/iptables -F
```

check /var/log/sshd/current if using metalog (metalog buffers logs so you may wanna restart metalog to flush the buffers (don't remember kill command -USR1 or something))

Cya lX.

----------

## Lasitus

Did a 

```
/etc/init.d/firewall stop
```

and well, 

```
ssh localhost
```

worked so...  I guess it is my firewall somehow.  I am allowing port 22 in my INPUT, OUTPUT, and FORWARD tables.  Does ssh need anything else besides this port?

----------

## Lasitus

Here is my firewall file.  I finally was able to ssh in to copy it (with the firewall stopped.)  Is there anything about this that would prevent my connection?  Note, it is no where near completion.  I am still adding to it port scanning prevention and other such detection.

Thanks,

Lasitus

```

#!/sbin/runscript

IPT=/sbin/iptables

LOCALNETWORK=192.168.0.0/0

EXTINTERFACE=eth0

INTINTERFACE=eth1

DNS1=24.95.227.34

DNS2=24.95.227.35

INTIP=192.168.3.1

depend() {

  need net procparam

  after net.eth1

}

start() {

  ebegin "Starting firewall"

  # Set default rule to drop

  $IPT -P INPUT DROP

  $IPT -P OUTPUT DROP

  $IPT -P FORWARD DROP

  # Create chain for allowed forward traffic

  $IPT -N allowed-ports-forward

  $IPT -F allowed-ports-forward

  $IPT -A allowed-ports-forward -p tcp --dport www -j ACCEPT

  $IPT -A allowed-ports-forward -p tcp --dport https -j ACCEPT

  $IPT -A allowed-ports-forward -p tcp --dport 22 -j ACCEPT

  $IPT -A allowed-ports-forward -p tcp --dport 20 -j ACCEPT

  $IPT -A allowed-ports-forward -p tcp --dport 21 -j ACCEPT

  $IPT -A allowed-ports-forward -p tcp --dport 5190 -j ACCEPT

  # Create chain for allowed server traffic

  $IPT -N allowed-ports-server

  $IPT -F allowed-ports-server

  $IPT -A allowed-ports-server -p tcp --dport 22 -j ACCEPT

  # Create chain for DNS

  $IPT -N dns

  $IPT -F dns

  $IPT -A dns -p udp -d $DNS1 --dport domain -j ACCEPT

  $IPT -A dns -p udp -d $DNS2 --dport domain -j ACCEPT

  # Apply chains to INPUT

  $IPT -A INPUT -j dns

  $IPT -A INPUT -j allowed-ports-server

  $IPT -A INPUT -p icmp -i $INTINTERFACE -j ACCEPT

  # Apply chains to OUTPUT

  $IPT -A OUTPUT -j dns

  $IPT -A OUTPUT -j allowed-ports-server

  $IPT -A OUTPUT -p icmp -o $INTINTERFACE -j ACCEPT

  # Apply chains to FORWARD

  $IPT -A FORWARD -j dns

  $IPT -A FORWARD -j allowed-ports-forward

  # Start Masquerading

  $IPT -t nat -A POSTROUTING -s $LOCALNETWORK -j MASQUERADE

  $IPT -A FORWARD -i $EXTINTERFACE -j ACCEPT

  eend $?

}

stop() {

  ebegin "Stopping firewall"

  $IPT -F

  $IPT -t nat -F

  $IPT -X

  $IPT -P INPUT ACCEPT

  $IPT -P FORWARD ACCEPT

  $IPT -P OUTPUT ACCEPT

  eend $?

}

```

----------

## Lasitus

Update:

ssh works now...  I added

```
$IPT -A INPUT -i $INTINTERFACE -j ACCEPT

$IPT -A OUTPUT -o $INTINTERFACE -j ACCEPT

```

I am still unsure about the security ramifications of these lines that allow all through certain interfaces.  I assume the other rules apply as well, just have to say wether or not anything is allowed through an interface.  Am I right on this?

Well anyway, thanks lx and klieber for helping me figure this one out.

Lasitus

----------

