Author Topic: 12.04 and 14.04 Firewall Issues  (Read 476 times)

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
12.04 and 14.04 Firewall Issues
« on: November 29, 2015, 06:05:46 am »
I installed LMCE-1404-20151124002031655-i386 on Nov 27, 2015 using what used to be a standard install- dual nics, nvidia graphics.  Sarah loaded, my SqueezeBox was found and installed correctly- that's all I tested that worked.

What didn't work is ssh or remote access of the web admin pages.  I opened the web admin pages from the core and opened the "outside access" page from the left hand menu.  Enabling remote access on ports 80, 8080 and ssh on 22 did not allow me to remotely access the core.  I manually added rules using the advanced pages- both as a core input and as NAT preforwarding to both 192.168.80.1 and 127.0.0.1, but no success.  I did the rules separately, so the different rule types separately, so there was no overlap of firewall commands.  Only disabling the firewall (IPv4 only, btw, I did not test IPv6) allowed me access- even then, no ssh.

If it matters, I also tried sshing out of the core and was not able to do that either.  Doing some generic searching led me to looking at the installed keys ("ssh-add -l") and these possible solutions:  http://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent

As for me, I'm dumping 14.04 and changing to 12.04. 

Edit: Same applies to 12.04.  I am able to access the web admin pages remotely only after disabling the firewall.  I am not able to ssh into the box from either externally or internally (x.x.80.x address) without or without the firewall enabled. 

I mean this with any implied criticism or sarcasm- there seem to be very few of us with firewall issues.  Is that from most using older versions or am I doing something fairly unique with the firewall?  That is, do most rely on another device (router, etc ) for the firewall, or do you not do any port forwarding/ssh at the core?  I ask because if there is a better (read: more mainstream) approach, I'm more than happy to change.

iptables -nvL:
Code: [Select]
Chain INPUT (policy DROP 4 packets, 160 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x29
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x3F
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x00
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x06
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x03/0x03
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x11/0x01
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x37
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1
 1978  425K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
  854  185K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
  285 41433 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
 1078  225K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
   13   780 ACCEPT     all  --  eth1   *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:80 /* Remote_Access */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            udp dpt:80 /* Remote_Access */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:22 /* SSH */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            udp dpt:22 /* SSH */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     lo      0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
 3757 1411K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
  100  6032 ACCEPT     all  --  eth1   *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */

Chain OUTPUT (policy ACCEPT 4825 packets, 708K bytes)
 pkts bytes target     prot opt in     out     source               destination
« Last Edit: November 29, 2015, 09:55:19 pm by huh »

phenigma

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1482
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #1 on: November 30, 2015, 02:28:43 pm »
Thank you for the detailed post and information!  Hopefully Alblasco can make something of this in his work on 1204. 

I share some of your issues with the firewall.  I am able to disable the firewall and ssh works perfectly internally and externally for me.  For myself, I do a lot of testing and installing.  I use a separate router/firewall for my internet connection that I place my core(s) behind.  That being said, we would definitely like to see our firewall fully functional again.

J.

coley

  • Guru
  • ****
  • Posts: 489
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #2 on: December 01, 2015, 03:36:30 pm »
I was fighting a lack of ssh access on my internal network too on a recent install.
I suspected the firewall too but disabling it or allowing port 22 didn't help.
In the end:
Code: [Select]
sudo dpkg-reconfigure openssh-serverre-generated the host keys and now I have ssh access, with firewall enabled, maybe the keys aren't getting generated correctly on install.
I haven't tried external access yet.

-Coley.
« Last Edit: December 01, 2015, 08:40:26 pm by coley »

phenigma

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1482
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #3 on: December 01, 2015, 08:14:09 pm »
I have verified the ssh issue on a fresh dvd install of 1204.  Thanks for the info Coley!  I'll find out where this should be happening and check/reintroduce it.  Likely fell out in my re-jig of the installation methods.

J.

phenigma

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1482
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #4 on: December 02, 2015, 08:21:04 pm »
The ssh keys will be regenerated properly on installs again once the pkgs and dvds are rebuilt.  Thanks guys.

J.

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #5 on: December 02, 2015, 09:53:09 pm »
Great news- I'll test it as soon as possible.

What about port forwarding?  Have you been able to test that?  For an example, I'd like to forward port 8008 to my Ago box downstream of LMCE.  I should be able to use the prerouting port forwarding to forward the incoming 8008 to 192.168.80.x:8008, but the request times out.

phenigma

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1482
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #6 on: December 02, 2015, 09:54:42 pm »
Unfortunately iptables is outside my realm of expertise, it is on my list to explore but I have to leave that to Alblasco at the moment.   :P

J.

huh

  • Guru
  • ****
  • Posts: 245
    • View Profile
Re: 12.04 and 14.04 Firewall Issues
« Reply #7 on: January 07, 2016, 03:57:55 am »
Working:  Finally got access to it and did a full apt-get update/upgrade (still 12.04 system)- the remote access (port 80) works going to "Outside Access" and enabling it.  Access on port 22 did not work until applying Coley's solution (sudo dpkg-reconfigure openssh-server).  I'll try from an external network tomorrow.

Not Working:  Adding nat port_forwarding does not work.  After clicking "add" after plugging in the fields, the page refreshes, but the rule does not show on either the basic or advanced configuration page.

iptables -nvL:
Code: [Select]
Chain INPUT (policy DROP 9 packets, 360 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x29
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x3F
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x00
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x06
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x03/0x03
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x11/0x01
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x37
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1
 1807  185K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
 2191  306K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
 2894  546K ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
   81 18310 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
   69  3980 ACCEPT     all  --  eth1   *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */
    0     0 ACCEPT     all  --  eth1   *       192.168.81.0/24      0.0.0.0/0            /* Allow_Local_Network */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:80 /* Remote_Access */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            udp dpt:80 /* Remote_Access */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:22 /* SSH */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            127.0.0.1            udp dpt:22 /* SSH */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* webadmin */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* ssh_access */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     lo      0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
 9071 4051K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
  651 60782 ACCEPT     all  --  eth1   *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */
    0     0 ACCEPT     all  --  eth1   *       192.168.81.0/24      0.0.0.0/0            /* Allow_Local_Network */
    0     0 ACCEPT     all  --  eth1   *       192.168.81.0/24      0.0.0.0/0            /* Allow_Local_Network */

Chain OUTPUT (policy ACCEPT 6794 packets, 901K bytes)
 pkts bytes target     prot opt in     out     source               destination