SSH and Firewalls?

Craig White plug-discuss@lists.plug.phoenix.az.us
12 Jun 2002 06:27:50 -0700


On Tue, 2002-06-11 at 07:07, Steve Holmes wrote:
> Question about running ssh over a masqueraded network:
> 
> I have a linux box that serves as the "point" machine for my network
> on which I forward ports with ipchains (2.2 kernel) to to inside
> amachines which each run sshd.  My outside machine currently is not
> running ssh yet.  If the default policy on my input chain is ACCEPT, I
> can successfully forward non standard ports through to specific
> machines an establish ssh sessions on them with no problems.  If I
> default the input chain to DENY, as is done in endoshield script, The
> connections time out and I cannot connect.  In both cases, I forward
> the same ports.
> 
> Bottom line, If I use endoshield and add on the ipfwadm commands to
> forward the ports mentioned above, connections time out; If I do not
> use endoshield but use a simpler script that basically leaves the
> input chain wide open, I can establish the ssh sessions - no problem.
----
been a while since I used ipchains and not seeing your script, what I
think is happening is that the input chains are considered before your
forward chains and thus if you policy is to DENY, then the packets are
denied before they ever hit the 'forward' chains.

Why not specifically allow the specific ports/ip addresses on input
rules and let the forward handle where they are going? The same
considerations would probably have to be given to 'output' rules.

Lastly and perhaps most importantly - all the logging rule so you can
inspect your logs to see which rule is specifically blocking your
attempts.

Craig