General discussion

Locked

Opening Linux firewall for sshd

By d_ellis ·
I need some help with my firewall. At the moment I have a Linux server as a gateway for my home network. The current firewall blocks all incoming ports and only allows incoming when initiated from within my firewall.

My access to the Internet is via a cable modem. The IPS blocks all ports from 0 through 1024.

I would like to access my home network from the Internet using ssh. However, the blocked ports require me to change the sshd port to something above 1024, say 22022. I can access the server from within my home network with the sshd port set to 22022. My first try to open the firewall was to modify my firewall with

$IPTABLES ?A INPUT -I $INTIF ?p tcp ?m tcp ?dport 22022 ?syn ?j ACCEPT

This does not work and the firewall reports a connection dropped as

Jul 30 21:29:28 kernel: IN=eth0 OUT= MAC=00:02:e3:09:c8:34:00:30:b8:80:34:fe:08:00 SRC=YYY.YYY.YYY.YYY DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=27094 DF PROTO=TCP SPT=1047 DPT=22222 WINDOW=5840 RES=0x00 SYN URGP=0

Where XXX and YYY are just IP addresses.

Any help will be appreciated.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by JIM-H In reply to Opening Linux firewall fo ...

Here are a few thoughts that ?might? help. I have not done exactly what you are doing but I am sure it is possible as I have done something close to this from what I can tell so far.

First, is the log that you provided an attempted session from the Internet? I notice that the Destination port is 22222 and not 22022 as expected from your previous message. It is just something to investigate.

Next, by any chance are you using another router before you actually hit the Cable ?Cloud?? Is any NAT going on before your Linux Firewall actually gets the SSHD request? If so maybe you need to statically MAP a port in your NAT table.

Finally, if your Linux box is doing NAT and not another router did you statically map your SSHD Port (22022) to the correct box internally? I bring this up since you said that you are working locally, maybe locally means not having to pass through a NAT/Firewall/Router?

Let me know how it goes or if you have any answers for the above and we can go further. This is a fun one! :-)
Later,
Jim

Collapse -

by LordInfidel In reply to Opening Linux firewall fo ...

Just an FYI,

SSH can not be port forwarded/NAT'd. It will break the encryption and fail.

Collapse -

by LordInfidel In reply to

But you can use a SSH Tunnel between 2 Linux boxes, kind of like a VPN.

Linux VPN's from new riders covers how to do it.

Collapse -

by LordInfidel In reply to

It's for BSD... But should give you some guidelines if your using RH

http://www.defcon1.org/html/ssh/vpn-howto/vpn-howto.html

Collapse -

by d_ellis In reply to

Poster rated this answer.

Collapse -

by JIM-H In reply to Opening Linux firewall fo ...

I do not think that Lordinfidel is correct that SSH can?t be forwarded or NAT?d. Unless he is stating that the encryption is compromised and easily hacked once NAT?d? But as far as working, I was able to make it work and it looked right to me. Maybe you have done more tests than I have.

Here was the setup, I did use default port 22 for SSH.
---
Public Internet, Cable-Modem ISP, Router, UNIX-A w/ SSHD.
---
The Router between the Internet and UNIX-A box is in fact running NAT and has a rule setup that forwards ALL port 22 data to a private local IP address, the UNIX box in this case.

I ran two tests.

TEST#1 ? This was sourced from a separate cable-modem account on a different ISP, and behind a router running NAT as well. I was successful in establishing an SSH2 encrypted session to UNIX-A. I ran a local sniffer and was able to watch the TCP session as the destination was a public IP but in fact UNIX-A does have a 192.168.x.x, private, address. Therefore NAT and port forwarding was being used.

TEST#2 ? This was sourced from a VPN connection to the NAT?d UNIX-A box. As I was unable to accurately sniff the traffic because the packets are all tunnel packets I still was able to reach the password prompt and login without any problems.

See log of session below?from public internet to UNIX
***I substituted P.P.P.P for the Public IP address***
[*root*@<hostname>: <prompt>$ ssh <username>@UNIX-A
Warning: Permanently added the RSA host key for IP address 'P.P.P.P' to the list of known hosts.
<username>@UNIX-A's password:
Last login: Tue Aug 5 22:27:07 2003
Welcome to UNIX-A!!!!
[<username>@UNIX-A: <username>[1]$

Let me know what you think,
Jim

Collapse -

by d_ellis In reply to

Poster rated this answer.

Collapse -

by d_ellis In reply to Opening Linux firewall fo ...

I did some testing. I placed another Linux box on my internal network and set up the firewall as I have it on my gateway box. I changed the sshd port to 2222 in both sshd_config and the firewall. I was then able to connect via ssh from both Windows and other linux boxes on the internet.

I then did the same on the gateway computer. I then ssh'ed out to a computer on the internet that I have access to. Once loged on, I then tried to ssh (ssh -p 2222 <home ip&gt back to my home gateway. It would not connect. I then did a nmap on the 2222 port. This indicated that the port was filtered.

I then closed the sshd port on my firewall and did the nmap again. It now indicated the the port was closed.

These experiments indicate to me that Zoominternet is blocking more that they said they were.

Thanks to everyone who resonded.

Collapse -

by d_ellis In reply to Opening Linux firewall fo ...

This question was closed by the author

Back to Linux Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums