[sllug-members]: SSH question
Dan Witt
dan at witt.tv
Fri Apr 18 16:25:38 MDT 2008
Mark K. Spute wrote:
>
>
> Dan Witt wrote:
> [snip]
>>> Okay, I updated my iptables as you suggested above and restarted
>>> iptables. Now I can login from machines behind my firewall (using
>>> 127.0.0.1) However, I tried to use putty to login to my public IP
>>> address (216.126.226.210) and I get a fatal error. It says Network
>>> Error: connection refused.
>>>
>>> Is this still an iptables issue? (I know nothing about iptables, so
>>> I am hesitant to get in there and mess around.)
>>
>> Hey Mark,
>>
>> Sorry, I'm a little confused when you say, "Now I can login from
>> machines behind my firewall (using 127.0.0.1)" because it sounds like
>> you are now able to connect to your server using any machine on your
>> internal network but you then give the IP of 172.0.0.1 which is the
>> local machine you are logged in to. If "127.0.0.1" was just a typo and
>> you are able to SSH in from any internal machine then it sounds like
>> the port isn't being forwarded properly from your router, you are
>> trying to access your public IP internally or something like that.
>>
>> I have to agree with Remo, you can shut down the iptables service
>> temporarily and see if it works externally just to eliminate the
>> firewall question.
>>
>> /etc/init.d/iptables stop
>
> Sorry. It was a typo. I can ssh from the server console on 127.0.0.1.
> I can ssh from other machines behind the firewall using 192.168.0.10.
> But I can't ssh from other machines behind the firewall using the public
> ip of 216.126.226.210.
>
> I shut down iptables using the command you listed. I still got the same
> error message on putty as before: network error, connection refused.
>
> What else could it be?
I think that Knight Walker is correct on this one. The route is not set
up properly for you to resolve your public IP address internally, which
is pretty normal for home networks. If you try to SSH into your machine
from an external location, you'll probably be able access it.
> I am very interested in Dan Witts suggestion, I'm just not sure how to
> do it.
I agree with the others, 'authfail' or 'denyhosts' is definitely a good
option. However, if you're a total paranoid nut case, like me, and you
don't want anybody to attempt login unless it's from an IP address that
you trust, use the previously mentioned filter rules. Here's an example:
I pulled the following iptables filter script from some guy's Fedora
box, it was generated at install time by 'system-config-securitylevel',
adapt as needed for your system (# = comment):
#--------------------------------------------
#/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#Following is commented for the upcoming SSH filter rules.
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
#Here's where you can add the previously mentioned filter rules.
#Fedora/RedHat jump the INPUT chain to the user-defined chain
'RH-Firewall-1-INPUT' (not sure why but it's fine).
#Log any attempts to connect on port 3022
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 3022 -j LOG
#Allow my internal network to connect on port 3022
-A RH-Firewall-1-INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport
3022 -j ACCEPT
#Allow my work IP to connect on port 3022
-A RH-Firewall-1-INPUT -i eth0 -s 123.123.23.31 -p tcp -m tcp --dport
3022 -j ACCEPT
#Allow my Friend's IP to connect on port 3022
-A RH-Firewall-1-INPUT -i eth0 -s 121.121.43.11 -p tcp -m tcp --dport
3022 -j ACCEPT
#Block any other IP from trying to connect on 3022
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 3022 -j DROP
COMMIT
#--------------------------------------------
-Dan Witt
More information about the sllug-members
mailing list