| Linode Forum https://forum.linode.com/ |
|
| How to access my linode behind a farwall that locks port 22? https://forum.linode.com/viewtopic.php?f=19&t=10275 |
Page 4 of 4 |
| Author: | theckman [ Sat Oct 05, 2013 3:38 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
What exactly are you trying to do? What commands are you running? Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root: Code: iptables-save My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so: - http://en.wikipedia.org/wiki/Privilege_(computing)#Unix -Tim |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 4:06 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
theckman wrote: What exactly are you trying to do? What commands are you running? Can you pastebin the full contents of your firewall configuration? This command will print it in the terminal for you, and it must be ran as root: Code: iptables-save My current theory is that you are trying to run a program that is trying to BIND to port 22. Except, port 22 is a privileged port and only things running as root can do so: - http://en.wikipedia.org/wiki/Privilege_(computing)#Unix -Tim thanks for the answer: Code: # Generated by iptables-save v1.4.7 on Sat Oct 5 21:24:10 2013 I have non standard ports for ssh and https |
|
| Author: | theckman [ Sat Oct 05, 2013 4:09 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Those firewall rules seem a bit ridiculous, and may get in the way of things you try to do in the future...so yeah. What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error. |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 4:15 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
theckman wrote: Those firewall rules seem a bit ridiculous, but have fun with that... What are you trying to do that causes that error? I need a specific command, preferably with full prompt being shown as well as the error. why ridiculous? have you got some some better rules? can you share it? I'm starting sslh as a service in CentOS, the purpose is to connect to ssh and https using port 443. It works fine if the /etc/rc.d/init.d/sslh contains this lines: OPTIONS="--user nobody --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport" In this way every logs does not contain any valid ip address because everyone who connect to https or ssh is logged as MYLINODEIP. To solve this problem sslh gives the --transparent option but this options doesn't work on my linode if not used as root. OPTIONS="--user root --pidfile $PIDFILE -p MYLINODEIP1:443 --ssl MYLINODEIP:8443 --ssh MYLINODEIP:nonstandardport" |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 4:52 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
PS: I've done the commands in the readme too: https://github.com/yrutschle/sslh/blob/ ... EADME#L185 Quote: # iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH # iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH # iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 # iptables -t mangle -A SSLH --jump ACCEPT # ip rule add fwmark 0x1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100 |
|
| Author: | sblantipodi [ Sat Oct 05, 2013 8:40 pm ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
I'm going mad but this time I get a step forward. Quote: sslh --transparent --user MYEXISTING USER --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:42424 plus Quote: iptables -t mangle -N SSLH; iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 42424--jump SSLH; iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH; iptables -t mangle -A SSLH --jump MARK --set-mark 0x1; iptables -t mangle -A SSLH --jump ACCEPT; ip rule add fwmark 0x1 lookup 100; ip route add local 0.0.0.0/0 dev lo table 100; works like a charm. If I try to start it like a service with the service sslh start it doesn't work. Operation not permitted. Have you got any suggestion on starting it as a service? Thanks. |
|
| Author: | theckman [ Sun Oct 06, 2013 2:09 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system. Are you trying to start sslh as root? -Tim |
|
| Author: | sblantipodi [ Sun Oct 06, 2013 6:44 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
theckman wrote: The rules seem like overkill and don't really protect you against anything. But alas, you have free rein over your system. Are you trying to start sslh as root? -Tim If I start it as root it works like a charm, If I start it as normal user it works like a charm, if I start it at boot with chkconfig sslh on when I reboot I get the setsockopt: Operation not permitted error when I try to use the SSLH port to connect. It seems that the sslh command looses the capabilities (setcap cap_net_bind_service,cap_net_admin+pe /usr/sbin/sslh) when it starts like a service and I don't want this. |
|
| Author: | sblantipodi [ Sun Oct 06, 2013 7:53 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
on the mailing list they say: http://rutschle.net/pipermail/sslh/2013 ... 00443.html make sure it's changed to the final user *before* calling sslh, if using --transparent. Ok, but how can I change to final user *before* calling sslh? |
|
| Author: | sblantipodi [ Sun Oct 06, 2013 10:14 am ] |
| Post subject: | Re: How to access my linode behind a farwall that locks port |
Ok, I solved by adding --user to the daemon Quote: OPTIONS="--transparent -- MYUSERNAM --pidfile /tmp/sslh -p MYIP:443 --ssl MYIP:8443 --ssh MYIP:NONSTANDARDPORT" PIDFILE="/tmp/sslh" start() { echo -n "Starting SSL-SSH-Switch: " if [ -f $PIDFILE ]; then PID=`cat $PIDFILE` echo sslh already running: $PID exit 2; else daemon --user MYUSERNAME $SSLH $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $PIDFILE ip rule add fwmark 0x1 lookup 100; ip route add local 0.0.0.0/0 dev lo table 100; return $RETVAL fi } stop() { echo -n "Shutting down SSL-SSH-Switch: " echo killproc sslh echo rm -f $PIDFILE ip rule del fwmark 0x1 lookup 100; ip route del local 0.0.0.0/0 dev lo table 100; return 0 } I also added the ip route del/add and ip rule add/del in order to not type this command at every boot. In the /etc/ssh/sshd_config I enabled the ListenAddress MYPUBLICIP than I added this rule Code: iptables -t mangle -N SSLH; Problem solved! Now fail2ban works again with the multiplexer running and I can trace the IP of the user connecting to multiplexed port correctly. [/code] |
|
| Page 4 of 4 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|