RE: iptables rule for sshd
Nothing there as well. I have also configured the sshd_config file so that the sshd binds to *.22 local port when I see it with netstat. The foreign host in netstat is *.*, incase some one among you wonders. The crazy machine lets in when I do ssh from it to itself, but has taken oath not to work when some one is trying to connect from another machine. First I was gave it a global ip and we trying to get in through internet. Never worked. Then I have given it a local ip of my network, and its still not working.. Nabil. -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Andreas Janssen Sent: Wednesday, August 04, 2004 3:26 PM To: [EMAIL PROTECTED] Subject: RE: iptables rule for sshd Hello [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: It's not the firewall. It's the ssh configuration, I think. When I connect using the putty on windows, its logs says connection reset by peer. Some things there with the damn ssh configuration. When I use SSh secure shell from www.ssh.com, it says Connection closed by remote host. Note: This all happened while there is no firewall running. i.e. (/etc/init.d/iptables clear). Check /etc/hosts.deny and /etc/hosts.allow. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] DISCLAIMER: Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz. This e-mail its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
RE: iptables rule for sshd
It's not the firewall. It's the ssh configuration, I think. When I connect using the putty on windows, its logs says connection reset by peer. Some things there with the damn ssh configuration. When I use SSh secure shell from www.ssh.com, it says Connection closed by remote host. Note: This all happened while there is no firewall running. i.e. (/etc/init.d/iptables clear). Should I give up on Linux? Its so frustrating.. Nabil. -Original Message- From: Didar Hussain [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 03, 2004 12:52 PM To: Nabil MALIK / KTEFH - OTAS Subject: Re: iptables rule for sshd On Tue, Aug 03, 2004 at 10:14:28AM +0300, [EMAIL PROTECTED] wrote: Didar, Well, I don't have any rule for the OUTPUT chain and its Policy is ACCEPT by default. There is nothing in NAT as well. However, I am quite sure that the problem in not with my firewall rules, as when I completely turn it off (/etc/init.d/iptables stop), the ssh client connecting from the internet still behaves the same. It appears that it is able to establish the connection, by is the disconnected by the server. Either it's the ssh security configuration, or some other Debian configuration that does this. Please advise as I am stuck with this issue for the last two days. Could you repeat the whole process after doing a: /etc/init.d/iptables clear Also, try connecting to the server with the -v flag to ssh like: ssh -v -l user_to_connect_as server/IP-address The -v (verbose) will let you know what is happening. Didar -- BOFH excuse #312: incompatible bit-registration operators Random signature generated by Signify v1.07 http://www.debian.org/ DISCLAIMER: Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz. This e-mail its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
RE: iptables rule for sshd
Hello [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: It's not the firewall. It's the ssh configuration, I think. When I connect using the putty on windows, its logs says connection reset by peer. Some things there with the damn ssh configuration. When I use SSh secure shell from www.ssh.com, it says Connection closed by remote host. Note: This all happened while there is no firewall running. i.e. (/etc/init.d/iptables clear). Check /etc/hosts.deny and /etc/hosts.allow. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: iptables rule for sshd
Didar, Well, I don't have any rule for the OUTPUT chain and its Policy is ACCEPT by default. There is nothing in NAT as well. However, I am quite sure that the problem in not with my firewall rules, as when I completely turn it off (/etc/init.d/iptables stop), the ssh client connecting from the internet still behaves the same. It appears that it is able to establish the connection, by is the disconnected by the server. Either it's the ssh security configuration, or some other Debian configuration that does this. Please advise as I am stuck with this issue for the last two days. Regards, Nabil. -Original Message- From: Didar Hussain [mailto:[EMAIL PROTECTED] Sent: Monday, August 02, 2004 7:34 PM To: [EMAIL PROTECTED] Subject: Re: iptables rule for sshd On Mon, Aug 02, 2004 at 09:10:39AM +0300, [EMAIL PROTECTED] wrote: Dah.. :-) thanks for the help. You guys are life savers. So now I am able to ssh from the local machine. Thanks to all you folks. You are welcome :) However, when I try to connect from the Internet using ssh, it just disconnects me. Why is that? When I try to connect, I even see that the packet count for ssh rule in the INPUT chain gets an increase of four packets. Are there other thing I need to look into like host.allow and stuff? I can ping the machine from the internet because I have a firewall rule for icmp-type echo-reply. Any ideas why it doesn't like ssh connections, even after having the ssh ACCEPT rule. I hope you have a corresponding entry for ssh in your OUTPUT chain as well. You could send your configuration by doing: iptables -L -nv Filter.txt iptables -L -nv -t nat Nat.txt And then just attach the Filter.txt and Nat.txt files. Also, since I am new, I am having lots of problems in guessing what packets are coming in and what rules need to be added. Is there a GOOD way to analyze the packets traversing through my interfaces? I know that I can add the -j LOG rule, but that is too hard to read, or perhaps is there a better way to analyze these logs? Well I use tethereal or tcpdump. Also you might try the evil ettercap. Take care, Didar DISCLAIMER: Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz. This e-mail its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
RE: iptables rule for sshd
Dah.. :-) thanks for the help. You guys are life savers. Also, after adding this it didn't work either. Then I realized that since I was trying to ssh from the same machine, I need another rule for the INPUT chain to ACCEPT every thing from the lo interface. Even though I use ssh -l loginName IP It still uses the lo 127.0.0.1 for connecting to sshd. So now I am able to ssh from the local machine. Thanks to all you folks. However, when I try to connect from the Internet using ssh, it just disconnects me. Why is that? When I try to connect, I even see that the packet count for ssh rule in the INPUT chain gets an increase of four packets. Are there other thing I need to look into like host.allow and stuff? I can ping the machine from the internet because I have a firewall rule for icmp-type echo-reply. Any ideas why it doesn't like ssh connections, even after having the ssh ACCEPT rule. Also, since I am new, I am having lots of problems in guessing what packets are coming in and what rules need to be added. Is there a GOOD way to analyze the packets traversing through my interfaces? I know that I can add the -j LOG rule, but that is too hard to read, or perhaps is there a better way to analyze these logs? Thanks in advance. Regards, Nabil. -Original Message- From: Didar Hussain [mailto:[EMAIL PROTECTED] Sent: Sunday, August 01, 2004 8:54 PM To: [EMAIL PROTECTED] Subject: Re: iptables rule for sshd On Sun, Aug 01, 2004 at 08:29:52PM +0300, [EMAIL PROTECTED] wrote: Iptables -A INPUT -p tcp -sport ssh -j ACCEPT Try: iptables -A INPUT -p tcp --dport ssh -j ACCEPT Didar DISCLAIMER: Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz. This e-mail its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
Re: iptables rule for sshd
On Mon, Aug 02, 2004 at 09:10:39AM +0300, [EMAIL PROTECTED] wrote: Dah.. :-) thanks for the help. You guys are life savers. So now I am able to ssh from the local machine. Thanks to all you folks. You are welcome :) However, when I try to connect from the Internet using ssh, it just disconnects me. Why is that? When I try to connect, I even see that the packet count for ssh rule in the INPUT chain gets an increase of four packets. Are there other thing I need to look into like host.allow and stuff? I can ping the machine from the internet because I have a firewall rule for icmp-type echo-reply. Any ideas why it doesn't like ssh connections, even after having the ssh ACCEPT rule. I hope you have a corresponding entry for ssh in your OUTPUT chain as well. You could send your configuration by doing: iptables -L -nv Filter.txt iptables -L -nv -t nat Nat.txt And then just attach the Filter.txt and Nat.txt files. Also, since I am new, I am having lots of problems in guessing what packets are coming in and what rules need to be added. Is there a GOOD way to analyze the packets traversing through my interfaces? I know that I can add the -j LOG rule, but that is too hard to read, or perhaps is there a better way to analyze these logs? Well I use tethereal or tcpdump. Also you might try the evil ettercap. Take care, Didar -- BOFH excuse #45: virus attack, luser responsible Random signature generated by Signify v1.07 http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables rule for sshd
I am running sshd on my Debian machine with iptables. I want it to accept ssh connections from outside. I added this rule and it doesnt work. Iptables A INPUT p tcp sport ssh j ACCEPT Why do you think its not able to match this rule? When I turn off the firewall, I am able to ssh to it from itself. But when I turn on the firewall, it doesnt work. Any ideas? Regards, Nabil. DISCLAIMER:Bu elektronik posta ve ekleri, sadece yukarida ismi yazili alicinin dikkatine gonderilmistir. Mesajin muhatabi degilseniz, icerigini ve varsa ekindeki dosyalari kimseye aktarmayiniz ya da kopyalamayiniz. Boyle bir durumda gondereni uyarip, mesaji imha ediniz. KUVEYT TURK E.F.K. A.S bu e-postanin ve eklerinin icerdigi bilgilerin size degisiklige ugrayarak ulasmasindan veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan veya icerigine guvenilerek yapilacak islemlerden dolayi sorumlu tutulamaz.This e-mail & its content have been sent to the attention of the receiver named above. If you are not the intended recipient (or have received this e-mail in error), Please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Kuwait Turkish Evkaf Finance House shall not be held liable for the arrival of this e-mail & its content as modified or late, the protection of integrity and secrecy and shall not be liable to any person who acts or omits to do anything in reliance upon it.
Re: iptables rule for sshd
On Sun, Aug 01, 2004 at 08:29:52PM +0300, [EMAIL PROTECTED] wrote: Iptables -A INPUT -p tcp -sport ssh -j ACCEPT Try: iptables -A INPUT -p tcp --dport ssh -j ACCEPT Didar -- BOFH excuse #299: The data on your hard drive is out of balance. Random signature generated by Signify v1.07 http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables rule for sshd
Le dimanche 1 Août 2004 19:29, [EMAIL PROTECTED] a écrit : I am running sshd on my Debian machine with iptables. I want it to accept ssh connections from outside. I added this rule and it doesn't work. Iptables -A INPUT -p tcp -sport ssh -j ACCEPT try -dport instead of -sport. Regards.
Re: iptables rule for sshd
[EMAIL PROTECTED] wrote: Iptables -A INPUT -p tcp -sport ssh -j ACCEPT try iptables -A INPUT -i eth0 -p tcp --dport 22 \ -m state --state NEW -j ACCEPT cheers, Sam -- Free High School Science Texts http://www.nongnu.org/fhsst/ Sam's Homepages http://fommil.homeunix.org/~samuel/ http://www.ma.hw.ac.uk/~samuel/ pgpJJ7ABPNwih.pgp Description: PGP signature