ssh connection through IPTables firewall fails. What's wrong?

ssh connection through IPTables firewall fails. What's wrong?

Post by Colin Big » Thu, 16 Aug 2001 05:24:19



OK, here's the problem.

I've got a box running RH6.2 with a 2.4.x kernel andd two NICs sitting
as my firewall. I've got an internal box running sshd, that I want to
connect to through the firewall, using some unused port on said
firewall. Let's call
these boxes FW and HOME.

I've got IPTables set up so that incoming connections to FW on eth1
(external
NIC) on some port (I'm trying 80:HTTP at the moment) get DNAT
rewritten to
HOME, port 22. I've also got a packet filtering rule that allows
connections
on eth1 with a destination of HOME:22 to go through.

The packets get though. I can sniff packets on port 22 from HOME, and
see
them all. However, the ssh session never starts. I _can_ start an ssh
session
on HOME from any of my other internal boxes, just not through the
firewall.

Any ideas on wha I'm missing here? I've tried doing the same with a
normal
telnet session (rewrite to port 23, and telnet in) but with the same
results.
It just doesn't make sense to me. Unless sshd is sending UDP or
'unconnected'
packets back out (which would get filtered), there seems to be nothing
missing.

Hoping for some help here.
Thanks,
Colin

 
 
 

ssh connection through IPTables firewall fails. What's wrong?

Post by Dean Thompso » Thu, 16 Aug 2001 17:53:37


Hi!,

Quote:> I've got a box running RH6.2 with a 2.4.x kernel andd two NICs sitting
> as my firewall. I've got an internal box running sshd, that I want to
> connect to through the firewall, using some unused port on said
> firewall. Let's call
> these boxes FW and HOME.

> I've got IPTables set up so that incoming connections to FW on eth1
> (external NIC) on some port (I'm trying 80:HTTP at the moment) get DNAT
> rewritten to HOME, port 22. I've also got a packet filtering rule that
> allows connections on eth1 with a destination of HOME:22 to go through.

> The packets get though. I can sniff packets on port 22 from HOME, and
> see them all. However, the ssh session never starts. I _can_ start an ssh
> session on HOME from any of my other internal boxes, just not through the
> firewall.

> Any ideas on wha I'm missing here? I've tried doing the same with a
> normal telnet session (rewrite to port 23, and telnet in) but with the same
> results. It just doesn't make sense to me. Unless sshd is sending UDP or
> 'unconnected' packets back out (which would get filtered), there seems to
> be nothing missing.

It would be good to see the actual tables but the DNAT should work for you,
however you might want to make sure that there are no firewalls running
anywhere else which are blocking the packets coming into and out of your
network.  When you are forming your SSH connection are you passing in the
parameter -P as well ?

ssh -P machinename -l username

You have to use -P to make sure that SSH doesn't use privileged ports when it
establishes a connection back.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

ssh connection through IPTables firewall fails. What's wrong?

Post by Colin Big » Sat, 18 Aug 2001 03:25:47



> Hi!,

I'm back. :-)

Quote:> It would be good to see the actual tables but the DNAT should work for you,
> however you might want to make sure that there are no firewalls running
> anywhere else which are blocking the packets coming into and out of your
> network.  When you are forming your SSH connection are you passing in the
> parameter -P as well ?

I wasn't, but as you can see, I'm (a) not blocking any outgoing connections,
and (b) having the same problems with telnet.

Thanks for the info. I tried switching from ssh to telnet to
eliminate one source of complexity, and have the same problem.
Here's some more detail on everything.

Here are my iptable settings.

                $IPTAB -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
                  -j DNAT --to 10.1.1.13:23
                $IPTAB -t nat -A POSTROUTING -o eth1 -j MASQUERADE

                $IPTAB -N block
                $IPTAB -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
                $IPTAB -A block -m state --state NEW -i ! eth1 -j ACCEPT
                $IPTAB -A block -p tcp -d 10.1.1.13 --dport 23 -i eth1 \
                  -j LOG --log-level info
                $IPTAB -A block -p tcp -d 10.1.1.13 --dport 23 -i eth1 \
                  -j ACCEPT
                $IPTAB -A block -j LOG --log-level warning
                $IPTAB -A block -j DROP
                $IPTAB -A INPUT -j block
                $IPTAB -A FORWARD -j block

                echo 1 >/proc/sys/net/ipv4/ip_forward

And now, when I telnet in, I see this behaviour on the client machine:
(tcpdump is running on 10.1.1.13, and the network is switched)

# tcpdump -vn port 23
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on all devices
22:46:45.881713 eth0 < 199.198.139.210.2651 > 10.1.1.13.telnet: S
57344000:57344
000(0) win 61440 <mss 512> (ttl 51, id 40648)
22:46:51.674203 eth0 < 199.198.139.210.2651 > 10.1.1.13.telnet: S
57344000:57344
000(0) win 61440 <mss 512> (ttl 51, id 40650)
2 packets received by filter

So the packets are getting through. On the other hand, this is what
I see on the machine I'm connecting from:

% telnet 105.133.15.34 80
Trying 105.133.15.34...
telnet: Unable to connect to remote host: Connection timed out
%

I'm still at a loss. Any ideas?

Colin

 
 
 

ssh connection through IPTables firewall fails. What's wrong?

Post by Dean Thompso » Sat, 18 Aug 2001 21:25:11


Hi,

Quote:> I wasn't, but as you can see, I'm (a) not blocking any outgoing
> connections, and (b) having the same problems with telnet.

> Thanks for the info. I tried switching from ssh to telnet to
> eliminate one source of complexity, and have the same problem.
> Here's some more detail on everything.

> Here are my iptable settings.

>                 $IPTAB -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
>                   -j DNAT --to 10.1.1.13:23

I don't know where you are trying the connection from, but you might also like
to add the line:

                 $IPTAB -A OUTPUT -p tcp --dport 80 -i eth1 \
                   -j DNAT --to 10.1.1.13:23

Quote:>                 $IPTAB -t nat -A POSTROUTING -o eth1 -j MASQUERADE

>                 $IPTAB -N block
>                 $IPTAB -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
>                 $IPTAB -A block -m state --state NEW -i ! eth1 -j ACCEPT
>                 $IPTAB -A block -p tcp -d 10.1.1.13 --dport 23 -i eth1 \
>                   -j LOG --log-level info
>                 $IPTAB -A block -p tcp -d 10.1.1.13 --dport 23 -i eth1 \
>                   -j ACCEPT
>                 $IPTAB -A block -j LOG --log-level warning
>                 $IPTAB -A block -j DROP
>                 $IPTAB -A INPUT -j block
>                 $IPTAB -A FORWARD -j block

>                 echo 1 >/proc/sys/net/ipv4/ip_forward

> And now, when I telnet in, I see this behaviour on the client machine:
> (tcpdump is running on 10.1.1.13, and the network is switched)

Is the machine 10.1.1.13 actually programmed to allow traffic in on port 80
itself.  Is this a case of a firewall running on 10.1.1.13 as well.  Based on
your tcpdumps, it would appear that 10.1.1.13 either is dropping all the
incoming packets, or your gateway isn't forwarding packets between the two
interfaces you are using.  I presume that the /etc/sysctl.conf file is also
showing that packets are allowed to be forwarded between the various
interfaces.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. SSH to/from localhost works but ssh from remote fails (receives "Connection refused")

I recently upgraded to openssh-3.1 and now sshd refuses connections
from remote hosts.  Running "ssh localhost" works fine.  Trying to ssh
from remote system fails.  I have tried to force ssh2.  I verified the
remote host is not blocked in hosts.deny and that hosts.allow is
ALL:ALL.  I also verified that ipchains is not blocking requests to
port 22 (and iptables is not running).  There are no errors in
/var/log/secure.  The /etc/ssh/sshd_config is all defaults.

Here's the output running ssh client verbose from a remot host:

bash-2.03$ ssh -v -2 dhaller2.workstation
SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /usr/local/etc/ssh_config
debug: ssh_connect: getuid 2028 geteuid 2028 anon 1
debug: Connecting to dhaller2.workstation [10.102.10.33] port 22.
debug: connect: Connection refused
debug: Trying again...
debug: Connecting to dhaller2.workstation [10.102.10.33] port 22.
debug: connect: Connection refused
debug: Trying again...
debug: Connecting to dhaller2.workstation [10.102.10.33] port 22.
debug: connect: Connection refused
debug: Trying again...
debug: Connecting to dhaller2.workstation [10.102.10.33] port 22.
debug: connect: Connection refused
Secure connection to dhaller2.workstation refused.
debug: writing PRNG seed to file /home/dhaller/.ssh/prng_seed

Here are the relevant rpms by running rpm -qa | grep openss
openssh-3.1p1-6
openssl-0.9.6b-28
openssh-server-3.1p1-6
openssl-devel-0.9.6b-28
openssh-clients-3.1p1-6


debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.

Any ideas?  

Thanks,
drew

2. USB CD Burner

3. X forwarding thru ssh connection

4. Converting from a WinNT file share to VisionFS

5. How to browse internt thru' LAN's MS proxy server (also serving as firewall)

6. Test

7. How to use do 'rsh' thru dial-up connection?

8. Sound under UNIX. Info wanted.

9. iptables firewall: ssh forwarding problem

10. Help! - Oracle connection timeout thru OpenBSD firewall.

11. NO connection thru firewall

12. ssh not working with firewall 2.3.99pre6/iptables

13. Can anyone tell me if anythings wrong with this iptables firewall