2

I have a local machine in my network 192.168.0.30 and i ssh over port 12121, setting in my sshd_config file.

I done changes to iptables:

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 12121 -j ACCEPT

/sbin/iptables -P INPUT DROP

So my machine accept only input from port 12121 now, this works i can ssh into it

On this machine i run an autossh script from a service, for remote port forwarding to get access from outside.

Command in my script:

/usr/bin/autossh -f -NT -o "ExitOnForwardFailure=yes" -R 20000:localhost:12121 \
-l [REMOTE-USER] [REMOTE-IP] -p 11111 -i [REMOTE-KEY]

When i try to connect it won't work, normal i accept only 12121 in iptables

So i add this to my iptables:

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20000 -j ACCEPT

And even if i dont need this because it's the input port from the remote machine:

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 11111 -j ACCEPT

Local ssh works remote ssh not.

When i check the my service with:

systemctl status mysshservice

I see all exited status codes, and the restart from the service and i see my autossh command with my options but i do see a second line with -L with a different port selected by autossh like 48328 so i do.

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 48328 -j ACCEPT

Now i can ssh from outside again.

I have 2 questions now about iptables.

Is it possible to a accept the service by name, without a given port like ACCEPT ALL SSH CONNECTIONS ?, so only ssh works without to ACCEPT every PORT i need.

My problme is the remote port changes every day so i have to generate new ACCEPT RULES every day.

When i work with autossh, do i need a script to grep/awk/sed the -R and -L ports every day, or is there an other solution for?

Z0OM
  • 1
  • 1
  • 4
  • 20
  • I have no idea what you want to achieve, but it seems that you complicate things for *no* reason. – vidarlo Aug 25 '22 at 18:17
  • Want to block all accept ssh, i search the stacksides and found only port blocking with iptables. you got a solution for me where i am not so complicate, ty? – Z0OM Aug 25 '22 at 18:24
  • Is it better to use fail2ban? – Z0OM Aug 25 '22 at 18:27
  • 1
    you could have the iptables rules in a file, and then template in whatever the port is today via some templating language prior to applying the updated rules for the updated port – thrig Aug 25 '22 at 19:33
  • what do you mean with templating language? bash script? – Z0OM Aug 25 '22 at 19:36
  • to my first question i can block only ports with iptables right? – Z0OM Aug 25 '22 at 19:37
  • @thrig you mean this with template https://serverfault.com/questions/287688/templating-with-linux-in-a-shell-script ? – Z0OM Aug 25 '22 at 19:38

1 Answers1

4

You can use service names from /etc/services but internally iptables works with port numbers, only translated from this file since tcp/udp protocol headers use numbers not strings for ports.

Moreover there are no names for all port numbers since service names just conventionality http://www.iana.org/assignments/port-numbers

Also a service name is anchored to only one port number at a time.

It does not working as you want.

Z0OM
  • 1
  • 1
  • 4
  • 20
gapsf
  • 846
  • 1
  • 6
  • 12
  • Ok i see only some give standard ports in /etc/service but not new one, like when i create with autossh or ssh right? – Z0OM Aug 25 '22 at 19:46
  • 1
    Correct; `/etc/services` lists only the standard/conventional port numbers as assigned by IANA. Anything you run on a nonstandard port has to be managed by you, even if it's "standard software listening on nonstandard port". edit: as gapsf says, it can also be edited if you want to use a local service at a relatively fixed port number! – Ti Strga Aug 25 '22 at 19:50
  • 2
    /etc/service is a fixed list, simply copy of original from IANA. But you can add something yours if it helps to you – gapsf Aug 25 '22 at 19:52
  • The list will not helps me, but the answer was usefull, i will try a little more but not to much :) with a script/template, grep what i need and update iptables, thanks again^^ – Z0OM Aug 25 '22 at 19:55
  • Just use fixed listen port for autossh autossh -M monitor_port -L local_port:localhost:remote_port user@host – gapsf Aug 25 '22 at 19:59
  • Fixed ports is not possible, i got a range of give ports, it's to much to explain.. – Z0OM Aug 25 '22 at 20:04