Join Log in
Score:0
Sergio Ivanuzzo avatar Server

Iptables: allow ssh only through vpn not work

us flag
Sergio Ivanuzzo

I need to allow ssh only through VPN (openvpn) using iptables. All services (ssh, vpn) are located on same machine. My current rules for vpn and ssh:

# set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# flush rules
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# allow localhost
iptables -A INPUT -i $LO -j ACCEPT
iptables -A OUTPUT -o $LO -j ACCEPT

# security
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP -m comment --comment "first tcp segment require SYN bit"

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -m comment --comment "drop XMAS packets"

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -m comment --comment "drop NULL packets"

iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP -m comment --comment "drop ICMP smurf attacks"
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP -m comment --comment "drop mangled (invalid) packets"
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP    

# allow VPN traffic
iptables -A INPUT -i $WAN -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport $PORT_OPENVPN -j ACCEPT
iptables -A OUTPUT -o $WAN -p tcp -m conntrack --ctstate ESTABLISHED --sport $PORT_OPENVPN -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $WAN -j MASQUERADE

iptables -A FORWARD -s 10.8.0.0/24 -o $WAN -j ACCEPT
iptables -A FORWARD -i $TUN -o $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $WAN -o $TUN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# allow SSH
iptables -t nat -I POSTROUTING -p tcp -m tcp --sport $PORT_SSH -o $TUN -j MASQUERADE
iptables -A FORWARD -i $TUN -o $WAN -p tcp --dport $PORT_SSH -j ACCEPT
iptables -A FORWARD -i $WAN -o $TUN -p tcp --sport $PORT_SSH -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport $PORT_SSH -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport $PORT_SSH -j ACCEPT

but for now ssh not work neither via vpn, nor without it. What am I doing wrong ?

UPDATE The output of ssh -vv:

OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data .ssh/config
debug2: resolve_canonicalize: hostname <VPS IP ADDRESS HERE> is address
debug2: ssh_connect_direct
debug1: Connecting to <VPS IP ADDRESS HERE> [<VPS IP ADDRESS HERE>] port 22.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type -1
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file .ssh/id_dsa type -1
debug1: identity file .ssh/id_dsa-cert type -1
debug1: identity file .ssh/id_ecdsa type -1
debug1: identity file .ssh/id_ecdsa-cert type -1
debug1: identity file .ssh/id_ed25519 type -1
debug1: identity file .ssh/id_ed25519-cert type -1
debug1: identity file .ssh/id_xmss type -1
debug1: identity file .ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.5
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.5 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <VPS IP ADDRESS HERE>:22 as '<LOGIN HERE>'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qUdNYwEs+cvEVkMKTz4RNOObOBsIByhRaehiNvybIi4
debug1: Host '<VPS IP ADDRESS HERE>' is known and matches the ECDSA host key.
debug1: Found key in .ssh/known_hosts:3
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: .ssh/id_rsa
debug1: Will attempt key: .ssh/id_dsa
debug1: Will attempt key: .ssh/id_ecdsa
debug1: Will attempt key: .ssh/id_ed25519
debug1: Will attempt key: .ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/id_rsa
debug1: Trying private key: .ssh/id_dsa
debug1: Trying private key: .ssh/id_ecdsa
debug1: Trying private key: .ssh/id_ed25519
debug1: Trying private key: .ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

debug1: read_passphrase: can't open /dev/tty: No such file or directory
<LOGIN HERE>@<VPS IP ADDRESS HERE>'s password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to <VPS IP ADDRESS HERE> ([<VPS IP ADDRESS HERE>]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
120
0 + 0
ssh
Ginnungagap avatar
gu flag
Ginnungagap
There are absolutely no DROP/REJECT rules, are we to understand that all chains default to it or is it broken simply by adding NAT rules ?
0
Reply
Sergio Ivanuzzo avatar
us flag
Sergio Ivanuzzo
@Ginnungagap thanks for comment. I added full part of iptables config to my question. Please let me know if I can add additional info.
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Can you post the output of the SSH connection attempt with `ssh -vv`? As it is firewall rules look OK to me.
0
Reply
Sergio Ivanuzzo avatar
us flag
Sergio Ivanuzzo
@Ginnungagap I connect to my VPS via Putty (win10) and connect to VPN via openvpn client (win10). Could you tell, how can I get needed output in this case ?
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Sorry I can't, maybe someone more versed in the microsoft universe can help...
0
Reply
Sergio Ivanuzzo avatar
us flag
Sergio Ivanuzzo
@Ginnungagap sorry, seems like cmd (win10) allow to process the command you posted. I added output in question above. Could you please look ?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.