You are not logged in.

#1 2008-04-06 02:43:40

deconstrained
Member
Registered: 2008-03-31
Posts: 49

iptables should be allowing ssh, but it isn't

I'm attempting to set up my Arch Linux workstation as a router; it has two ethernet chipsets - one onboard, and one in a pci slot. I try ssh 127.0.0.1 and the connection gets refused.

I had ssh working just fine earlier until I installed/configured iptables per the instructions in the wiki on setting up Arch for NAT. My configuration is as follows:

ip route ls | grep eth0 # (eth0 is my LAN interface)

10.0.0.0/28 dev eth0  proto kernel  scope link  src 10.0.0.1

cat /etc/hosts.allow | grep sshd

sshd:ALL

cat /etc/ssh/sshd_config | grep 22

Port 22
ListenAddress 10.0.0.0:22

cat /etc/iptables/iptables.rules | grep 22

-A open -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A open -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A open -i lo -p tcp -m tcp --dport 22 -j ACCEPT

The full iptables.rules:

# Generated by iptables-save v1.4.0 on Sat Apr  5 18:59:37 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -f -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j fw-interfaces 
-A FORWARD -j fw-open 
-A FORWARD -j REJECT --reject-with icmp-host-unreachable 
-A fw-interfaces -i eth0 -j ACCEPT 
-A interfaces -i lo -j ACCEPT 
-A interfaces -i eth0 -j ACCEPT 
-A open -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A open -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A open -i lo -p tcp -m tcp --dport 22 -j ACCEPT 
-A open -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A open -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A open -i eth1 -p tcp -m tcp --dport 28070 -j ACCEPT 
-A open -i eth1 -p udp -m udp --dport 28070 -j ACCEPT 
COMMIT
# Completed on Sat Apr  5 18:59:37 2008
# Generated by iptables-save v1.4.0 on Sat Apr  5 18:59:37 2008
*nat
:PREROUTING ACCEPT [2:128]
:POSTROUTING ACCEPT [2:128]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE 
COMMIT
# Completed on Sat Apr  5 18:59:37 2008

Is there anything I'm missing or that might be causing this problem?

Offline

#2 2008-04-06 22:21:59

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: iptables should be allowing ssh, but it isn't

deconstrained wrote:

cat /etc/ssh/sshd_config | grep 22

Port 22
ListenAddress 10.0.0.0:22

That second line is wrong, read the manpage.

Offline

Board footer

Powered by FluxBB