l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2003 Mar 10 16:20

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] SSH On Home Network
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] SSH On Home Network



Jim Angstadt said:
> --- ME <dugan@passwall.com> wrote:
>> Jim Angstadt said:
>> [likely need works with filters]
>> > Could you give me a starting point for this,
>> please.
>>
>> Mike Simmons has asked for the output from two
>> commands in a response to
>> this. This should help you along this path.
>>
>> In addition to his request, could you also pass the
>> contents of the files:
>> /etc/hosts.allow
>
> sshd:  ALL
> [I added this earlier, following directions in a Linux
> Journal tech support article.  No apparent effect.]

This can be an issue if tcpwrappers support was included in your RH8 box.
It still looks like iptable is to blame.

Looking at the output from the iptables, I dont see a rule permitting
packets with a syn flag set to port 22 for ssh.

(Background: this is take from examination of the "flags" section, and
having an understanding of a tcp packet and the flags
http://mike.passwall.com/networking/tcppacket.html )

Pulling from other mail:
----
    0     0 ACCEPT     tcp  --  *      *
 0.0.0.0/0            0.0.0.0/0          tcp dpt:22
 flags:0x16/0x02
----

Could you try this:
# iptables -t filter -D  INPUT 1 -p tcp -s 192.168.0.0/24 -d 192.168.0.3\
 --destination-port 22 -j ACCEPT

(If the line sould wrap, the "\" at the end of the first should permit you
to paste it into a shell and then just press return.)

Then try to ssh to the box from one of the others. (This is just a test,
not a permanant fix. It inserts a rule at the top of the list to allow all
IP from your private net 192.168.0.[0-255] to connect with tcp to that
machine's port 22.)

If you can ssh to the box. Then we can proceed from here and try to make
the "fix" a permanent one.

If you cannot, then it would be a good idea to remove that rule we just
inserted:
# iptables -t filter -D INPUT 1

When you ssh from the other box to this one, please give it some time to
connect. Often ssh is configured to perform rDNS for each incoming
connection. When this is the case, and your ssh server is behind a private
network, it may take some time for the rDNS to fail before the ssh is
permitted to pass through.


>> /etc/hosts.deny
>
> empty.

OK.

-ME




-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.