hi,
i have a rather strange problem. i want to connect via ssh from outside networks (aka the internet). my configuration:
sme 6.01-01
fritzcard pci isdn card
masq-contrib installed
i allow remote acces from 0.0.0.0/0.0.0.0 and "Allow administrative command line access over secure shell" is enabled. but, all attempts to connect from the internet are denyed by the firewall:
Jan 27 11:26:46 srv001 kernel: denylog:IN=ippp0 OUT= MAC= SRC=217.85.236.91 DST=212.144.2.184 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=3004 DF PROTO=TCP SPT=2339 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
i have another server running which connects over DSL to the net which is reachable from the outside, so i suspect the isdn line is the problem.
it looks like the problem lies in here (but where is this "gre-in" rule built?):
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !dialin-212-144-002-184.arcor-ip.net
denylog all -- anywhere anywhere
here is the whole iptables -L output.
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ForwardDenyLocals all -- anywhere anywhere
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ForwardDenyLocals (1 references)
target prot opt source destination
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_8955 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_8955 (1 references)
target prot opt source destination
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_8955 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_8955 (1 references)
target prot opt source destination
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_8955 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_8955 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_8955 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain InboundTCP_8955 (1 references)
target prot opt source destination
denylog all -- anywhere !dialin-212-144-002-184.arcor-ip.net
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
denylog tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
denylog tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_8955 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_8955 (1 references)
target prot opt source destination
denylog all -- anywhere !dialin-212-144-002-184.arcor-ip.net
Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_8955 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain OutboundICMP_8955 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain PPPconn (2 references)
target prot opt source destination
PPPconn_1 all -- anywhere anywhere
Chain PPPconn_1 (1 references)
target prot opt source destination
Chain denylog (23 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
LOG all -- anywhere anywhere LOG level warning prefix denylog:'
DROP all -- anywhere anywhere
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !dialin-212-144-002-184.arcor-ip.net
denylog all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_8955 all -- anywhere anywhere
Chain local_chk_8955 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 anywhere
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ideas anyone?
PAT
0 Replies
710 Views