Results 1 to 2 of 2

Thread: 2 internal networks, can ssh into box from 1 net but not the other. Help.

  1. #1
    Join Date
    Jul 2018
    Beans
    10

    2 internal networks, can ssh into box from 1 net but not the other. Help.

    Hey all.. I have a fw / networking question here. This is on a 18.04 box. It's more a iptables / routing question. Here's the basic rundown of my setup and use case.




    • Box is a Wifi gateway to a VPN
    • eth0 is on the local network of 192.168.1.0/24
    • wlan0 (wifi) is broadcasting and using the network 192.168.220.0/24
    • tun0 is the openvpn connection to PIA (private internet access vpn service)
    • I can connect to .220.0 network and ssh into the box just fine
    • I can NOT ssh, ping, etc into the box from the .1.0 network
    • From the box I can ping the .1.1 gateway, but nothing else on the network

    Here are the rules and routes from my box


    Code:
    root:gw ~ # cat /etc/iptables.ipv4.nat
    # Generated by iptables-save v1.6.0 on Tue Jun 11 16:23:07 2019
    *nat
    :PREROUTING ACCEPT [49451:3023221]
    :INPUT ACCEPT [16160:1024232]
    :OUTPUT ACCEPT [9103:614323]
    :POSTROUTING ACCEPT [9100:614095]
    -A POSTROUTING -o tun0 -j MASQUERADE
    COMMIT
    # Completed on Tue Jun 11 16:23:07 2019
    # Generated by iptables-save v1.6.0 on Tue Jun 11 16:23:07 2019
    *filter
    :INPUT ACCEPT [2:696]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 192.168.220.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Tue Jun 11 16:23:07 2019
    
    root:gw ~ # iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     tcp  --  192.168.220.0/24     anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh ctstate ESTABLISHED
    ACCEPT     tcp  --  192.168.1.0/24       anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
    
    root:gw ~ # route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         10.54.17.5      128.0.0.0       UG    0      0        0 tun0
    default         192.168.1.1     0.0.0.0         UG    202    0        0 eth0
    10.54.X.X       10.54.17.5      255.255.255.255 UGH   0      0        0 tun0
    10.54.X.X       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
    91.207.175.126  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    104.28.18.94    192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    104.28.19.94    192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    128.0.0.0       10.54.17.5      128.0.0.0       UG    0      0        0 tun0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
    192.168.220.0   0.0.0.0         255.255.255.0   U     303    0        0 wlan0

    I believe the FW rules are OK. I think it's more to do with the route table but maybe not?


    I've tried adding logging for new incoming connections to iptables and when trying to ssh in on the .1.0 network, I get no log entry. I even tried adding a manual entry for .1.0 to route via .1.1 but still no dice (I know this shouldn't be needed but just grasping).


    Anyone have any ideas?


    Thanks in advance!


  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: 2 internal networks, can ssh into box from 1 net but not the other. Help.

    route -n?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •