Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was playing with netfilter this weekend, when I decided to bind my sshd to localhost, and let netfilter redirect allowed trafic thru to localhost:22. This works now from the local box, but whenever I try to connect remotely, the connection times out...
Here's the stuff I did:
--[cut here]--------
root:/# cat > /dev/null << EOF
> ip1 == addr of eth0
> ip2 == addr of remote machine
> EOF
root:/# id
uid=0(root) gid=0(root) groups=0(root)
root:/# uname -a
Linux lacrima 2.4.4-work #1 Mon May 14 08:34:52 CEST 2001 i686 unknown
root:/# netstat -an|grep LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0: * LISTEN
tcp 0 0 127.0.0.1:22 0.0.0.0: * LISTEN
unix 2 [ ACC ] STREAM LISTENING 1295 /tmp/.X11-unix/X0
root:/# lsmod
Module Size Used by
root:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
As no one has attempted to try and answer your question on forwarding internally to your localhosted sshd. "no idea why you would even attempt to do this"
Anyway I haven't used netfilter "yet" but I think I can see a flaw in your chains.
The PREROUTING chain does filtering on packets before they hit the routing tables that sends them onwards to the INPUT/FORWARD/OUTPUT chains.
In your input chains you need to allow access to your IP address not the local address.
Also switch on logging, on all connections so you can see which filters accept the connections.
In addition to that, the main thing is to NOT bind sshd to localhost, it can ONLY accept (listening to) traffic from localhost. No outside hosts may use localhost as a destination address in correct/legitimate traffic. (IANA stuff n such)
OTOH, if u wanna play u can try & setup a portforwarder on the external interface & see if u can bounce traffic off a port to reach localhost :-]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.