Iptables & Remote SSH Sorrows

Iptables & Remote SSH Sorrows

[tamato]

I have configured iptables to allow ssh connections.  However, no one is able 
to connect unless I add their IP address to the /etc/hosts file.  Since my 
remote useres are on dynamic IP's - their address changes each time they log in 
to their internet accounts.  

Is there a way to configure iptables or another system file that would allow 
ssh connections from any IP?

My setup:

  OS......: Linux Kernel: 2.4.18
  Distro..: RedHat 8.0 (2.4.18-27.8.0)
  Iptables: 1.2.6a-2

  [remote users]---->(internet)<----[linux box]

Iptables SSH command (loaded from /etc/init.d/iptables script):

   iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

Any insight or help would be much appreciated.

Thanks.

-tom-

Re: Iptables & Remote SSH Sorrows

[Kelly Setzer]

On Thu, Apr 10, 2003 at 06:24:33PM +0000, tamato@attbi.com wrote:
> I have configured iptables to allow ssh connections.  However, no one is able 
> to connect unless I add their IP address to the /etc/hosts file.  Since my 
> remote useres are on dynamic IP's - their address changes each time they log in 
> to their internet accounts.  
> 
> Is there a way to configure iptables or another system file that would allow 
> ssh connections from any IP?
> 

In your sshd config file (/etc/sshd/sshd_config on debian), check the
following option.  If it's set to yes, change it to no.

VerifyReverseMapping
  Specifies whether sshd should try to verify the remote host name
  and check that the resolved host name for the remote IP address
  maps back to the very same IP address.  The default is "no".


Also, check /etc/hosts.allow.

You should have:

sshd: ALL

Whereas, you probably have something like:

ALL: PARANOID


Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)

RE: Iptables & Remote SSH Sorrows

[Daniel Chemko]

By chance, do you have a * in hosts.deny?

This is not an iptables problem. IMO, you are denying everything and
only including what you have in hosts.allow, since it runs before
hosts.deny. That would allude to your hosts.deny being restrictive which
is fine, but it means that you can't easily allow dynamic connections.
Maybe you can check the pattern matches in "man hosts.allow" to see what
can be done to limit the number of entries you need to add to the list.


-----Original Message-----
From: tamato@attbi.com [mailto:tamato@attbi.com] 
Sent: Thursday, April 10, 2003 11:25 AM
To: netfilter@lists.netfilter.org
Subject: Iptables & Remote SSH Sorrows

I have configured iptables to allow ssh connections.  However, no one is
able 
to connect unless I add their IP address to the /etc/hosts file.  Since
my 
remote useres are on dynamic IP's - their address changes each time they
log in 
to their internet accounts.  

Is there a way to configure iptables or another system file that would
allow 
ssh connections from any IP?

My setup:

  OS......: Linux Kernel: 2.4.18
  Distro..: RedHat 8.0 (2.4.18-27.8.0)
  Iptables: 1.2.6a-2

  [remote users]---->(internet)<----[linux box]

Iptables SSH command (loaded from /etc/init.d/iptables script):

   iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

Any insight or help would be much appreciated.

Thanks.

-tom-