2013-11-25 - [GRASE-Hotspot] Cannot SSH within network
Header Data
From: Karotu Tannang <ka***u@nauoi.com.ki>
Message Hash: ccbd0e62f8e86303b08f44445ef3fcd761d9e25f3054445260435e883168b6c5
Message ID: <CA+bonMgzRrUuaU7M7wBoRez7G3SRv1hOkAz7286ReLuqyUk6kg@mail.gmail.com>
Reply To: N/A
UTC Datetime: 2013-11-25 16:30:43 UTC
Raw Date: Tue, 26 Nov 2013 11:30:43 +1200
Raw message
Hi,
I have setup aircontrol (http://wiki.ubnt.com/AirControl) on my grase
hotspot but noticed that I can only ssh into the server but cannot ssh
out from the server to my access points.
I have added a few lines in /etc/chilli/ipup.sh for the iptables to
allow aircontrol access and shh but still cannot ssh out to my access
points. Maybe there is something I am missing?
Any help would be very much appreciated.
Kind regards,
Karotu
Here is /etc/chilli/ipup.sh
#!/bin/sh
# Custom rules for Hotspot
# TRANS PROXY
# ipt -I PREROUTING -t nat -p tcp -s 10.1.0.0/24 -d 10.1.0.1
--dport 3128 -j DROP
# ipt -I PREROUTING -t nat -i $IF -p tcp -s 10.1.0.0/24 -d !
10.1.0.1 --dport 80 -j REDIRECT --to 8080
# Redirect to Squid proxy (drop direct attempts to proxy)
ipt -I PREROUTING -t mangle -p tcp -s $NET/$MASK -d $ADDR --dport
3128 -j DROP
ipt -I PREROUTING -t nat -i $TUNTAP -p tcp -s $NET/$MASK -d !
$ADDR --dport 80 -j REDIRECT --to 3128
# Look at using this rule?
# ipt -I PREROUTING -t nat -i $TUNTAP -p tcp -s $NET/$MASK -d !
$ADDR --dport 80 -j DNAT --to 192.168.8.22:3128
# Redirect DNS to local server # Coova Chilli seems to take care of this
# ipt -I PREROUTING -t nat -i $TUNTAP -p tcp -s $NET/$MASK -d !
$ADDR --dport 53 -j REDIRECT --to 53
# ipt -I PREROUTING -t nat -i $TUNTAP -p udp -s $NET/$MASK -d !
$ADDR --dport 53 -j REDIRECT --to 53
# MASQUERADE
ipt -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
# Allow local BIND server to connect to other DNS servers
SERVER_IP="192.168.0.90"
DNS_SERVER="208.67.222.222 208.67.220.220"
for ip in $DNS_SERVER
do
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
done
iptables -A INPUT -i tun0 -p tcp --dport 9080 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -p tcp --sport 9080 -m state --state
ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -p tcp --dport 9443 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -p tcp --sport 9443 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.1.0.1 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 10001 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 10001 -m state --state ESTABLISHED -j ACCEPT
=========================================================
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
ACCEPT icmp -- anywhere 10.1.0.1
ACCEPT udp -- anywhere 10.1.0.1 udp dpt:domain
ACCEPT udp -- anywhere 10.1.0.1 udp
dpts:bootps:bootpc
ACCEPT udp -- anywhere 255.255.255.255 udp
dpts:bootps:bootpc
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:3128
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:3990
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:domain
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:2812
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:ssh
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:https
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:http
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:4990
ACCEPT tcp -- anywhere 10.1.0.1 tcp dpt:3990
ACCEPT udp -- resolver1.opendns.com 192.168.0.90 udp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- resolver1.opendns.com 192.168.0.90 tcp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- resolver2.opendns.com 192.168.0.90 udp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- resolver2.opendns.com 192.168.0.90 tcp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:9080 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:9443 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:ssh state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
dpt:10001 state NEW,ESTABLISHED
DROP all -- anywhere 10.1.0.1
ACCEPT udp -- resolver1.opendns.com 192.168.0.90 udp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- resolver1.opendns.com 192.168.0.90 tcp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- resolver2.opendns.com 192.168.0.90 udp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- resolver2.opendns.com 192.168.0.90 tcp
spt:domain dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:9080 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:9443 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:ssh state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
dpt:10001 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere
tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 192.168.0.90 resolver1.opendns.com udp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.90 resolver2.opendns.com udp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:9080 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:9443 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:ssh state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:10001 state ESTABLISHED
ACCEPT udp -- 192.168.0.90 resolver1.opendns.com udp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT udp -- 192.168.0.90 resolver2.opendns.com udp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:9080 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:9443 state ESTABLISHED
ACCEPT tcp -- 10.1.0.1 anywhere tcp
dpt:ssh state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:10001 state ESTABLISHED
Any ideas welcome.
Kind regards,
Karotu
--
----------------------------------
Karotu Tannang
Nauoi IT Services
Behind BOK, Betio / PO Box 46, Bairiki
Tarawa, KIRIBATI
Mobile: +686 94038
Like Us on Facebook: http://www.facebook.com/nauoionline
Thread
-
Return to November 2013
-
Return to “Karotu Tannang <ka***u@nauoi.com.ki>”
-
2013-11-25 (Tue, 26 Nov 2013 11:30:43 +1200) - [GRASE-Hotspot] Cannot SSH within network - Karotu Tannang <ka***u@nauoi.com.ki>