Re: [leaf-user] SSH question
Thanks Tom. Setting my buddies sshd to listen on 0.0.0.0 did the trick. I never noticed that it was set to internal IP. John === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Tom Eastep [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: [leaf-user] SSH question ceforge.net 14-02-03 10:04 AM John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. Your first rule actually insists that the CLIENT port be 1021 -- rather odd requirement. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( Also be sure that your sshd is listening on 0.0.0.0 and/or on the exernal IP address of your firewall. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH question
Hello folks A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. I can do it within the internal net no problem (again, same as mine). What should I look for? Could there be something with the possibility of identical keys having copied my installation? I'm not familiar with how that part may or may no affect the situation. Sample of Shorewall RULES file follows: # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local and internet network for administration # ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 # # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # ACCEPT loc fw udp 53 # # Allow all access to weblet # REDIRECT loc 8080 tcp 80 - 192.168.1.254 ACCEPT loc fw tcp 8080 # Custom rules: # allow various services for internal servers # DNAT net loc:192.168.1.254 tcp 8080 DNAT net loc:192.168.1.128 tcp 80 DNAT net loc:192.168.1.128 tcp 21 1021 DNAT net loc:192.168.1.128 tcp 1021 DNAT net loc:192.168.1.128 tcp 25 DNAT net loc:192.168.1.128 tcp 110 DNAT net loc:192.168.1.128 tcp 1080 DNAT net loc:192.168.1.128 tcp 5631 DNAT net loc:192.168.1.128 tcp 5632 DNAT net loc:192.168.1.128 udp 5631 DNAT net loc:192.168.1.128 udp 5632 DNAT net loc:192.168.1.128 tcp DNAT net loc:192.168.1.128 tcp 9925 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
AW: [leaf-user] SSH question
A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. Try opening a telnet connection to the ssh daemon telnet x.x.x.x 22 If it answers with SSH-2.0-OpenSSH_3.5p1 or something similar, then the problem is with the SSH daemon configuration or the password, because you know that you have a running sshd and an firewall that allows connections to it What should I look for? Could there be something with the possibility of identical keys having copied my installation? There should be no problem with using identical keys though it is clearly not recommended. DNAT net loc:192.168.1.128 tcp 21 1021 DNAT net loc:192.168.1.128 tcp 1021 Are these two 1021 intentional? Regards Alex --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Alex Rhomberg alex.lists@bluewTo: John Mullan [EMAIL PROTECTED], [EMAIL PROTECTED] in.ch cc: Subject: AW: [leaf-user] SSH question 14-02-03 08:29 AM A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. Try opening a telnet connection to the ssh daemon telnet x.x.x.x 22 If it answers with SSH-2.0-OpenSSH_3.5p1 or something similar, then the problem is with the SSH daemon configuration or the password, because you know that you have a running sshd and an firewall that allows connections to it What should I look for? Could there be something with the possibility of identical keys having copied my installation? There should be no problem with using identical keys though it is clearly not recommended. DNAT net loc:192.168.1.128 tcp 21 1021 DNAT net loc:192.168.1.128 tcp 1021 Are these two 1021 intentional? Regards Alex --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. Your first rule actually insists that the CLIENT port be 1021 -- rather odd requirement. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( Also be sure that your sshd is listening on 0.0.0.0 and/or on the exernal IP address of your firewall. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
Thanks Tom, I will double check the listening address. It may have gotten changed somehow. I'm not sure about your reference to 'odd requirement'. Do you mean choosing port 1021? My only intention is, that if external clients make an FTP request using default port of 21 that they get routed to 1021 on the appropriate machine. Saves me explaining to friends to use 1021. Would it be more appropriate to use a REDIRECT instead of DNAT?? John === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Tom Eastep [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: [leaf-user] SSH question ceforge.net 14-02-03 10:04 AM John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. Your first rule actually insists that the CLIENT port be 1021 -- rather odd requirement. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( Also be sure that your sshd is listening on 0.0.0.0 and/or on the exernal IP address of your firewall. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
John Mullan wrote: Thanks Tom, I will double check the listening address. It may have gotten changed somehow. I'm not sure about your reference to 'odd requirement'. Do you mean choosing port 1021? My only intention is, that if external clients make an FTP request using default port of 21 that they get routed to 1021 on the appropriate machine. Saves me explaining to friends to use 1021. Would it be more appropriate to use a REDIRECT instead of DNAT?? John === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Tom Eastep [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: [leaf-user] SSH question ceforge.net 14-02-03 10:04 AM John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. This is the rule that you posted: DNAT net loc:192.168.1.128 tcp 21 1021 That rule says to DNAT tcp connection requests from the net to 192.168.1.128 if the destination port is 21 AND THE SOURCE PORT IS 1021. If you wanted to accept either 21 or 1021 then the rule would have been: DNAT net loc:192.168.1.128 tcp 21,1021 And of course you must tell ip_conntrack_ftp and ip_nat_ftp to consider 1021 to be an ftp port. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
At 07:44 AM 2/14/03 -0500, John Mullan wrote: Hello folks A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. I can do it within the internal net no problem (again, same as mine). What should I look for? Could there be something with the possibility of identical keys having copied my installation? I'm not familiar with how that part may or may no affect the situation. [details deleted] Your guess about keys seems implausible. The fact that you can connect from the LAN side indicates that sshd (or inetd) is listening on port 22. And the bare connection refused message almost always means a failure before ssh authentication (I say almost because I haven't used TT in years, and it may be different from the Linux ssh client and PuTTY in how it reports authentication failures). How are you determining the IP address to connect to? Since this problem is taking place in a setting of dynamic addressing (PPPoE), are you certain you are connecting to the right IP address? The Shorewall rules you list look OK to me (and more important, Tom seems to think the relevant ones are OK). But the way to be sure is to run shorewall status *after* a connection failure to see if the packets are arriving and what rule is blocking them. Also check the logs for any messages from sshd after a failure (might there be a reverse-lookup problem? wild guess here). Do you and your friend use the same ISP? I've never actually heard of an ISP who blocks ssh connections, but I no longer dismiss the possibility of ANY ISP action on the grounds that it is stupid or inconvenient for customers. A final long shot ... where are you connecting *from*? Are you connecting to both your and your friend's router from the same location? If so, could there be anything about the source end that makes the two connections look different (I ask only because you mentioned in a followup that at work you have a restrictive firewall in place)? If not, could there be some difference of consequence between the two locations you try to connect from? -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
