[CentOS-pt-br] SSH

Janderson Jetto jsjetto em gmail.com
Sexta Fevereiro 14 11:45:40 UTC 2020


   Bom dia amigos,

   Estou tendo problemas com acesso externo via SSH. sempre usei as versões
5 e 6 do CentOS, porem os servidor2s Dell não aceitam mais, somente da 7 em
diante.

   Me conecto via OpenVpn e acesso novamente o servidor via SSH pela rede
interna, quando vou direto pela internet pede usuario e senha e da erro de
senha... mas a senha esta correta pois é a mesma que uso quando acesso pela
OpenVpn...

    Regras de firewall (IPTABLES) ok,
    O range 200.0/24 é o alocado ao OpenVpn. Como podem ver fiz até uma
regra somente para testes lkiberando o INPUT ao servidor vindo de qualquer
origem  $IPTABLES -A INPUT -m state --state NEW -j ACCEPT

    Acredito ser alguma configuração no .conf do SSH, mas ali já não é
muito a minha praia.. No CentOs5 e 6 nunca tive esse problema.

    Fico muito grato pela ajuda de vcs.

#!/bin/sh --debug
###############################################################################
##                 Data 25/01/2020 - Janderson Jetto
  ##
##                        /etc/init.d/firewall
  ##
###############################################################################

#Variaveis
IPTABLES=/sbin/iptables
IFEXT=em1
IFINT=em2
VPN01=192.168.21.254
DARIUS=191.252.201.92
INTERNA=192.168.21.0/24
DMZ=10.10.21.0/24


######################

$IPTABLES -L -n | awk '/Chain/ {printf "iptables -F %s\n", $2;}'|/bin/sh
$IPTABLES -t nat -L -n | awk '/Chain/ {printf "iptables -t nat -F %s\n",
$2;}'|/bin/sh
$IPTABLES -t mangle -L -n | awk '/Chain/ {printf "iptables -t mangle -F
%s\n", $2;}'|/bin/sh
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Registro de LOGS
$IPTABLES -A INPUT -p tcp -j LOG --log-prefix "INPUT TCP: "
 --log-ip-options
$IPTABLES -A INPUT -p udp -j LOG --log-prefix "INPUT UDP: "
 --log-ip-options
$IPTABLES -A INPUT -p icmp -j LOG --log-prefix "INPUT ICMP: "
 --log-ip-options

$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix "FORWARD TCP: "
 --log-ip-options
$IPTABLES -A FORWARD -p udp -j LOG --log-prefix "FORWARD UDP: "
 --log-ip-options
$IPTABLES -A FORWARD -p icmp -j LOG --log-prefix "FORWARD ICMP: "
 --log-ip-options

#Script Secundario
#source /usr/local/scripts/firewall/regras_usuario

################################################################################################
#       #
#       #
# ATENCAO NUNCA ALTERAR DESTA JANELA ACIMA. SE ALTERAR UMA VARIAVEL ALTERA
TODO O SCRIPT       #
#################################################################################################

# REGRAS USUARIOS

# GERENCIA
#
*$IPTABLES -A INPUT -m state --state NEW -j ACCEPT*
$IPTABLES -A INPUT -m state --state NEW -s 191.252.201.92 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -s 192.168.200.9 -p tcp --dport 22
-j ACCEPT
*$IPTABLES -A INPUT -m state --state NEW -s 192.168.200.5 -j ACCEPT*
$IPTABLES -A INPUT -m state --state NEW -s 192.168.21.10 -p tcp --dport 22
-j ACCEPT
#
$IPTABLES -A FORWARD -m state --state NEW -s 192.168.200.5 -j ACCEPT
################################################################
#
# MANGLE
#
$IPTABLES -t mangle -A PREROUTING -d 192.168.0.0/16 -j RETURN
$IPTABLES -t mangle -A PREROUTING -d 172.16.0.0/12 -j RETURN
$IPTABLES -t mangle -A OUTPUT -d 192.168.0.0/16 -j RETURN
$IPTABLES -t mangle -A OUTPUT -d 172.16.0.0/12 -j RETURN
################################################################
#
# INTERNET - CORREIO
#
$IPTABLES -t nat -A POSTROUTING -p tcp -m multiport --dport 465,587,993,995
-o em1 -j SNAT --to-source 192.168.21.254
$IPTABLES -A FORWARD -m state --state NEW -p tcp -m multiport --dport
465,587,993,995 -j ACCEPT
#
################################################################
#
# PROXY
#
$IPTABLES -A INPUT -m state --state NEW -s $INTERNA -p tcp --dport 3128 -j
ACCEPT
$IPTABLES -A INPUT -m state --state NEW -s $DMZ -p tcp --dport 3128 -j
ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.21.253 -o em1 -j SNAT
--to-source 192.168.21.254
$IPTABLES -A FORWARD -m state --state NEW -s 192.168.21.253 -j ACCEPT
#
################################################################
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.centos.org/pipermail/centos-pt-br/attachments/20200214/4fe59e56/attachment.html>


Mais detalhes sobre a lista de discussão CentOS-pt-br