[NCLUG] setup for ssh on two nics
Kevin H. Olson
k.h.olson at att.net
Thu Jan 25 14:49:37 MST 2007
I am certain this issue has been resolved before, by my ability to resolve it or find an answer using google, etc. has failed me.
I have a machine (named squidy), running Fedora Core 3, with two NIC cards. One card is configured to an internal static IP address of 192.168.10.107. This NIC (eth0) is used within the 192.168.10.0/24 network for allowing ssh connections for maintenance. This machine/nic has some public services on non-standard ports (e.g., 8443, 7101) that are forwarded from a firewall (FW-A; public IP 184.108.40.206) to this nic. These services all work fine, and moving them would be a bit painful.
The other card (eth1) is configured to 192.168.12.107, and is connected to the internet address of 220.127.116.11 through a different firewall (FW-B) that forwards port 22 to that second local IP address.
What I need is for the eth0 to accept ssh from the local 192.168.10.0/24 network and respond on that network. I need eth1 to accept ssh from the forwarded port and to answer back on that port. The other services using eth0 use the main gateway that is at 192.168.10.1.
I have a limited number of external addresses that may connect to the 18.104.22.168:22 address, so I thought I could just use specific routes. I added one of the addresses (the 71... below) to the routing table.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
22.214.171.124 192.168.12.1 255.255.255.255 UGH 0 0 0 eth1
192.168.32.0 192.168.10.102 255.255.255.0 UG 0 0 0 eth0
192.168.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0
The 126.96.36.199 is one machine that is supposed to be able to connect via ssh on 188.8.131.52.
(note: the 192.168.32.0/24 net is a VPN network using OpenVPN).
I have made sure that the iptables is set properly to accept the connection. I added logging to the iptables as well. When a connection is made from the 71.237... address, it shows in the log file, but there is no response from the sshd.
I set the ip_forward in the kernel to 1:
The sshd_config is not set to a specific address.
Do I need to have two separate sshd processes listening to the different IP addresses? Is there something specific about the routing I am missing? The sshd works perfectly within the network, and over the OpenVPN. The external access to ssh that is coming in on eth1 seems to connect, but nary a response is given, and nothing is shown in the /var/log/secure.
Any guidance in this matter is appreciated.
More information about the NCLUG