View Single Post
  #1  
Old 17th December 2010, 02:23
Romoku Romoku is offline
Junior Member
 
Join Date: Jun 2010
Posts: 14
Thanks: 4
Thanked 9 Times in 3 Posts
Default Way to debug incoming connection?

Quote:
Hello,

Its been a long time since I've posted and some nice guides have come around, however, I have found that I require more techniques as I dive deeper into the linux world.

Problem:

I have a CentOS box running with two NICs, one with a public address and the other NIC has a router in between it and the internet.

Well I am trying to configure SSH on the box to go through the private address, lets say 192.168.10.205 instead of the public address.

I have set the router to port forward public port 20522 to port 22 private side and I set sshd_config to listen on 192.168.10.205.

When I connect with putty to the router's external ip, port 20522, putty throws a timeout. I do not really have a clue as to how to debug this problem with my experience.

I have read up on adding multiple static routes to my different subnets, but it seems confusing and I do not know if it is appropriate. SSH works on the public address, but not the private address+port forward.

I will keep looking into it and post results if I figure it out on my own.

Thanks,


Romoku

edit:

I have found the <theoretical> problem. I need to setup source based routing for eth0 and eth1 to return their packets back from where they got them. Google isn't very helpful in my queries, but I will keep looking.
ALRIGHT, I figured out the solution in a timely manner.

From: This dude.

Basically one needs to use iproute2 in order to allow traffic shaping. It could probably be done with iptables, but I know nothing and you can have fun with that.

<Generalization starts now>

iproute2 contains tables which can be checked using iprules

You will want separate tables for each device probably.

Start by editing the /etc/iproute2/rt_tables

#nano /etc/iproute2/rt_tables

Now add two new tables to the bottom of the file, it looks roughly like this:

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#
#1 inr.ruhep


now add:

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#
#1 inr.ruhep
1 WAN1
2 LAN1


Now save and we have some tables.

Next start is to actually ADD something to the tables. I will use an example yyy.yyy.yyy.yyy for wan and xxx.xxx.xxx.xxx for lan.
For this part yyy.yyy.yyy.yyy and xxx.xxx.xxx.xxx should be the GATEWAY the interface is connected to. I do not know whether to create a new table for eth0:0 or vlan type setups. Will append later.

from the terminal:

#ip route add default via yyy.yyy.yyy.yyy dev eth0 tab 1
#ip route add default via xxx.xxx.xxx.xxx dev eth1 tab 2


Now check the tables.

#ip route show table 1
default via via yyy.yyy.yyy.yyy dev eth0

#ip route show table 2
default via xxx.xxx.xxx.xxx dev eth1


Everything should be shiny and now we need RULES.
yyy.yyy.yyy.yyy/ww and xxx.xxx.xxx.xxx/zz should be IP ADDRESSES while ww and zz are the subnet in CIDR notation and are assigned to the interfaces eth0 and eth1. e.g. 192.168.0.100/24
tl;dr yyy.yyy.yyy.yyy/ww = 192.168.0.100/24 CIDR Notation yyy.yyy.yyy.yyy is the IP ADDRESS of the interface.

type in the terminal:

#ip rule add from yyy.yyy.yyy.yyy/ww tab 1 priority 500
#ip rule add from xxx.xxx.xxx.xxx/zz tab 2 priority 600

Another e.g. just to get the point across:
#ip rule add from 192.168.0.100/24 tab 1 priority 500

Now we check to make sure the rules are added:

#ip rule show
0: from all lookup local
500: from yyy.yyy.yyy.yyy lookup wan1
600: from xxx.xxx.xxx.xxx lookup lan1
32766: from all lookup main
32767: from all lookup 253


We are almost done:

#ip route flush cache

Now we should be done. I have run into a problem. (nvm)The changes do not stay and I will figure out a way to keep the changes saved(/nvm).

edit:

Alright to make the changes permanent we must edit /etc/rc.d/rc.local

#nano /etc/rc.d/rc.local

Append

ip route add default via yyy.yyy.yyy.yyy dev eth0 tab 1 #GATEWAY 1
ip route add default via xxx.xxx.xxx.xxx dev eth1 tab 2 #GATEWAY 2
ip rule add from yyy.yyy.yyy.yyy/ww tab 1 priority 500 #IP ADDRESS 1
ip rule add from xxx.xxx.xxx.xxx/zz tab 2 priority 600 #IP ADDRESS 2


To the BOTTOM of the file. We are done.

In conclusion: This is why we cannot have nice things.

tl;dr I know nothing.


-Romoku

Last edited by Romoku; 17th December 2010 at 04:52.
Reply With Quote
Sponsored Links