shorewall + ssh problem (solved)

Message

Slavo · Post by **Slavo** » Mon Sep 19, 2005 9:53 pm

hi , ive been posting my problem with ssh
- it was i cant connect from external machine to my machine via ssh, although i can ssh from my machine to my machine

- i traced the problem to shorewall (something with it i have no idea what can it be)

logfile shows this

Code: Select all

Sep 19 23:43:43 tux Shorewall:net2all:DROP:IN=vpnlink OUT= MAC= SRC=xxx.xxx.1.94                                                                            DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=18239 DF PROTO=TCP SPT=3

here my config files
/etc/shorewall/policy

Code: Select all

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT          info
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/zones

Code: Select all

#ZONE                   DISPLAY         COMMENTS
net                     Net             Internet
rwth                    RWTH            RWTH LAN
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces

Code: Select all

#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
net      vpnlink        -               norfc1918,routefilter,dhcp,tcpflags
rwth     eth0           detect          norfc1918,routefilter,dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/rules (just an excerpt)

Code: Select all

ACCEPT   fw             rwth            tcp     22   #sftp
ACCEPT   fw             rwth            udp     22   #sftp

any ideas? (vpnlink is my vpnclient external interface)

- it got broken after some emerge -Du world

Slavo · Post by **Slavo** » Tue Sep 20, 2005 6:26 am

hmmmmmmmmmmmm, forgot to give this file

/etc/shorewall/tunnels

Code: Select all

# TYPE                  ZONE    GATEWAY         GATEWAY
#                                               ZONE
#
ipsec                   rwth    0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

seems like this one is using 0.0.0.0 and ssh daemon is using 0.0.0.0

- but i have no idea what that means

davidblewett · Post by **davidblewett** » Tue Sep 20, 2005 5:09 pm

You have to add some rules to be able to access rwth from the net. Add this to /etc/shorewall/rules:

Code: Select all

ACCEPT  net             fw            tcp     22   #sftp
ACCEPT   net             fw            udp     22   #sftp

If you want to connect to a specific machine inside the network, you can use shorewall's DNAT keyword to send all requests on port 22 on the firewall to the port 22 on rwth. I.e.:

Code: Select all

DNAT            net             rwth:192.168.0.245       tcp     22

Slavo · Post by **Slavo** » Tue Sep 20, 2005 5:51 pm

thank you, that worked!

btw i like your comment on the bottom

- Christ lives in hearts , not on cross as all churches portray Him

davidblewett · Post by **davidblewett** » Tue Sep 20, 2005 7:09 pm

seems like this one is using 0.0.0.0 and ssh daemon is using 0.0.0.0

0.0.0.0 is shorthand in linux for all interfaces. It means the daemon is listening on any available IP, like public (12.230.18.60), private (192.168.0.1) and localhost (127.0.0.1). It's a way of simplifying things. Some like to have daemons run on only one IP address, to prevent unauthorized access.