You are not logged in.
Hey guys
I'm setting up a new machine which serves as a gateway for my private network. I have iptables set up and ip forwarding is working correctly. I can't seem to connect to this machine via ssh. This might be something I did incorrectly with my iptables rules, but I can't find the problem with them myself. Whether I try from inside or outside of my network, I get the error:
ladr0n@laptop> ssh -p xxxx ladr0n@192.168.0.1 ~
ssh_exchange_identification: Connection closed by remote host
Here are the uncommented lines of my /etc/ssh/sshd_config file:
Port xxxx
Protocol 2
PermitRootLogin no
ChallengeResponseAuthentication no
UsePAM yes
Subsystem sftp /usr/lib/ssh/sftp-server
And my iptables configuration:
# Generated by iptables-save v1.4.2 on Wed Dec 31 12:57:55 2008
*filter
:INPUT DROP [3:84]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4613:391641]
:fw-interfaces - [0:0]
:fw-open - [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j interfaces
-A INPUT -j open
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A fw-interfaces -i eth0 -j ACCEPT
-A interfaces -i lo -j ACCEPT
-A interfaces -i eth0 -j ACCEPT
-A open -p tcp -m tcp --dport 8674 -j ACCEPT
COMMIT
# Completed on Wed Dec 31 12:57:55 2008
# Generated by iptables-save v1.4.2 on Wed Dec 31 12:57:55 2008
*nat
:PREROUTING ACCEPT [15:1266]
:POSTROUTING ACCEPT [33:2311]
:OUTPUT ACCEPT [33:2311]
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
Any help would be greatly appreciated. Thanks.
Offline
make sure something like sshd: ALL or whatever is in your /etc/hosts.allow
Last edited by theringmaster (2008-12-31 19:16:50)
Check me out on twitter!!! twitter.com/The_Ringmaster
Offline
Good call, ringmaster. I added the line 'sshd: ALL' to /etc/hosts.allow and it works now. Thank you!
Last edited by ladr0n (2008-12-31 20:22:25)
Offline
oh and sshd: ALL might be a security risk, but you can read the wiki page to be sure.
Check me out on twitter!!! twitter.com/The_Ringmaster
Offline
You're right, it is a slight risk. However, I need to be able to access this machine from anywhere, so I can't restrict sshd to a particular range of IP addresses. I've seen a way to set up sshd so that it will reject a certain IP address after so many failed login attempts. I'll probably use either that or port knocking eventually, but for now I at least have it set up and working properly. Thanks again
Offline