PDA

Bekijk de volledige versie : Iptables ne donnent pas access à SSH en WAN ? Pourquoi?


galmiche
28-09-2005, 12:15
Bonjour à tous,

J'ai suivi le tutorial de macsat en :
- installant ipkg
-crée mon disque /opt
-installé le serveur SSH et mon dropbear fonctionne

Or, si tout va bien depuis le LAN (SSH accés OK), je ne peux pas me connecter depuis le monde extérieur WAN !!!
Pourtant j'ai bien crée le post-firewall donné par macsat.
J'ai aussi qqes forward dans le menu graphique de OLEG mais rien en port 22 et 23 crée par le menu graphique. Le port SSH est supposé etre défini ds le post-firewall donné à la fin de ce message.

Ques se passe il? Qq'un as t'il de l'aide à me fournir svp?

Merci
Hervé

Voici le fichier post-firewall & la table que j'obtient au reboot:

login as: admin
admin@192.168.0.1's password:
[admin@Wl500gx root]$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,AC K/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RS T,ACK/RST limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec bur st 5 icmp echo-request
ACCEPT udp -- anywhere 192.168.0.10 udp dpt:2165
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:2905
ACCEPT udp -- anywhere 192.168.0.10 udp dpt:2905
ACCEPT tcp -- anywhere 192.168.0.20 tcp dpt:5800
ACCEPT udp -- anywhere 192.168.0.20 udp dpt:5800
ACCEPT tcp -- anywhere 192.168.0.20 tcp dpt:5900
ACCEPT udp -- anywhere 192.168.0.20 udp dpt:5900
ACCEPT tcp -- anywhere 192.168.0.20 tcp dpt:3210
ACCEPT udp -- anywhere 192.168.0.20 udp dpt:3210
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:webcache
ACCEPT udp -- anywhere 192.168.0.10 udp dpt:webcache
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:4662
ACCEPT udp -- anywhere 192.168.0.10 udp dpt:4672
ACCEPT tcp -- anywhere 192.168.0.10 tcp dpt:6881
ACCEPT udp -- anywhere 192.168.0.10 udp dpt:6881
ACCEPT all -- anywhere 192.168.0.150

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all -- anywhere anywhere


[admin@Wl500gx root]$ cat /usr/local/sbin/post-firewall
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i -p tcp --dport 22 -j DNAT --to-destination :22
iptables -A INPUT -j DROP
[admin@Wl500gx root]$
Jethro
28-09-2005, 14:09
Bonjour à tous,

Ceci est un forum anglais, donc réaffirmer votre question dans l'anglais s'il vous plaît
Jethro
28-09-2005, 14:17
In English, galmiche wrote:
Hi there,

I followed the tutorial of macsat in:
- installing ipkg
-creating my /opt disc
-installing the SSH server and my dropbear works

Now, athough everything goes well on the LAN (SSH access is OK), I cannot connect from WAN!!! Nevertheless I have created the post-firewall given by macsat. I have also set forwarding rules in the graphical menu of the OLEG firmware but nothing happens on port 22 and 23. The SSH port is defined by the given post-firewall at the end of this message.

What is happening here? Could anyone help me please?

Thanks
Hervé

Here is the post-firewall file & the table I got at reboot:

{check the original message}
mao44
29-09-2005, 13:28
Hi,

if your SSH installation is correct you just may have :
into the post-firewall :

#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP



and into post-boot :
dropbear
/usr/sbin/smbd -D
/usr/sbin/nmbd -D

Bye
a French Guy !