My setup:
Debian Testing (up to date) Kernel 2.6.24
My router has a firewall with the SSH port open. I run a FireStarter software firewall, which blocks SSH access, on my computer together with Knockd.
Knockd runs a script which adds or deletes an IPTables rule to allow SSH access. The knockd script part works insamuch as it adds the required rule.
The problem is that the firewall on my computer still blocks SSH access. This is so that I can access my computer when away from home and that's the only time I can test or try it consequently it's all rather long winded. SSH access is by key only and login is prohibited.
First I added a rule to allow SSH access using the FireStarter GUI interface then I had a look at an IPTables listing to see what it had generated. I used that rule in my knockd script. The next time I went away I found that it didn't work - I still couldn't get access.
The last rule I tried I had modified myself after reading the man pages and that didn't work either. So I'm now stumped.
This is my last effort:
iptables -A INPUT -p tcp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
I don't know whether the UDP rule is required but I thought it wouldn't do any harm.
If anyone can point out what I'm doing wrong I'd be most grateful.
On Thu, 28 Aug 2008, Barry Samuels wrote:
Knockd runs a script which adds or deletes an IPTables rule to allow SSH access. The knockd script part works insamuch as it adds the required rule.
The problem is that the firewall on my computer still blocks SSH access. This is so that I can access my computer when away from home and that's the only time I can test or try it consequently it's all rather long winded. SSH access is by key only and login is prohibited.
This is my last effort:
iptables -A INPUT -p tcp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPtables has a list of rules to use in deciding what to do with packets. When a packet arrives, it goes through the rules in the order they were added. As soon as it finds a rule that tells it what to do with the packet in question, it does that thing, and ignores the remainder of the list of rules. So, it could be that some rule that was added earlier is telling it to drop or reject the ssh packets, and it never gets to these last two rules that were added. You can obtain the full list of rules that apply at any given time with
iptables -L
On 28/08/08 22:13:38, Dan Hatton wrote:
On Thu, 28 Aug 2008, Barry Samuels wrote:
Knockd runs a script which adds or deletes an IPTables rule to allow SSH access. The knockd script part works insamuch as it adds the required rule.
The problem is that the firewall on my computer still blocks SSH access. This is so that I can access my computer when away from home and that's the only time I can test or try it consequently it's all rather long winded. SSH access is by key only and login is prohibited.
This is my last effort:
iptables -A INPUT -p tcp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 22:22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPtables has a list of rules to use in deciding what to do with packets. When a packet arrives, it goes through the rules in the order they were added. As soon as it finds a rule that tells it what to do with the packet in question, it does that thing, and ignores the remainder of the list of rules. So, it could be that some rule that was added earlier is telling it to drop or reject the ssh packets, and it never gets to these last two rules that were added.
Thanks Dan.
I do know that BUT it's something I keep forgetting and I think that it may apply in this case. I've changed the -A to -I and put those two rules as numbers 1 & 2. Using one of these port probes available on the Internet I checked before and after and it does seem that the port is being opened.
I won't know the results for sure until I go away again. Here's hoping.
You can obtain the full list of rules that apply at any given time with
iptables -L
That how I checked in the first place. :-))
-
Barry Samuels -
Dan Hatton