SSH
From dbawiki
Contents
- 1 How to set up SSH so I don't have to type a password
- 2 scp files to server adding automatically to known_hosts
- 3 Problems?
- 4 Client is still asking for password even though keys are setup?
- 5 References
- 6 Tunneling
- 7 Regenerate a public key from a private key
- 8 A small script (seems to originate from Oracle) that sets up ssh keys between 2 accounts
- 9 A bigger (more elaborate) script that I also found embedded in an Oracle setup
- 10 Add this to /etc/ssh/sshrc to get the magic cookies added automatically
How to set up SSH so I don't have to type a password[edit]
Using an ssh keypair enables us to scp files from machine to machine without needing a password
The private key MUST remain private - if anyone gets hold of it, they can also transfer files to the remote machine.
The private key stays on the local machine, the public key goes out to anyone who wants it!
Or put another way, private key is on the sending machine, public key is on the receiving machine.
- Generate a key-pair
Run
ssh-keygen -t rsa
to generate an RSA keypair. You now have 2 keys. The public key is stored in ~/.ssh/id_rsa.pub, and your private key is in ~/.ssh/id_rsa.
- Upload public key to remote machine
scp ~/.ssh/id_rsa.pub <remote>:/tmp
Login to remote machine and
cat /tmp/id_rsa.pub >>~/.ssh/authorized_keys
Check file permissions
authorized_keys and id_rsa have to be 600
id_rsa.pub can be 644
ls -al ~/.ssh/id_rsa ls -al ~/.ssh/id_rsa.pub ls -al ~/.ssh/authorized_keys
- Load your private key into an agent (optional)
If you load your private key into an agent, it will hold the decrypted key in memory. Otherwise, you would have have to enter the key's passphrase (if you used one) every time you connect. To load the key, run
ssh-add
and enter the key's passphrase. (If your key is not in the default location ~/.ssh/id_rsa, you will need to provide the full path. For example, ssh-add ~/.ssh/id_rsa_my_ssh_key).
If ssh-add says "Could not open a connection to your authentication agent.", then you don't have a SSH agent running. Launch one using this command:
eval $(ssh-agent)
scp files to server adding automatically to known_hosts[edit]
When copying files to a server for the first time, you are asked if you want to add the servers fingerprint to the known_hosts file. To avoid the question and add automatically, use:
scp -o Batchmode=yes -o StrictHostKeyChecking=no <files> <server>
Problems?[edit]
- Permissions. Check your home directory is writable only by you (eg: 750), the .ssh directory is 700 and the id* and auth* files are 600.
- From the client (the one with the private key on it), add a -v switch to the scp command. This will show debugging info. -vv gives more. -vvv gives even more!
- On the server (remote machine), look at the logs to see if there is any more info in there (try /var/log/messages or /var/log/auth.log or /var/log/authlog or /var/log/secure)
- Check the /etc/ssh/sshd_config file on the remote machine for settings like StrictModes. If this is on, the permissions above will be important.
- After all these failed attempts, has your username been locked out?
On AIX, look at and reset the unsuccessful login counter:
USERNAME=<username>
/usr/sbin/lsuser ${USERNAME}
/usr/bin/chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s ${USERNAME}
/usr/bin/chuser account_locked=false ${USERNAME}
/usr/bin/chuser rlogin=true ${USERNAME}
- Check the server log file:
vi /etc/syslog.conf and see where the auth logs go
On AIX, this is /var/adm/syslogs/auth. This shows:
Authentication tried for <user> with correct key but not from a permitted host <host>
authorized_keys file on the server will need 'from="<ip addr>,<ip addr>,<ip addr>..."'
On Redhat Linux, this file is called /var/log/secure
- Start up another sshd server for diagnosis
Start up a second instance of sshd on an alternative port (on the server machine)
server# $(which sshd) -p 2200 -d
Keep that window open, as the debugging information is written to standard output. Then on the client, connect to the alternative port:
client$ ssh -p 2200 username@server
If the key is rejected, a reason for the rejection should be revealed on the server.
Client is still asking for password even though keys are setup?[edit]
Try forcing the ssh options... (useful if you cannot change the sshd config on the server)
ssh -o PubkeyAuthentication=yes -o PasswordAuthentication=no -X user@server
References[edit]
- [ssh - authorized_keys HOWTO]
- [http://sleepyhead.de/howto/?href=ssh]
- chaining ssh tunnels
- ssh gymnastics
- aix4admins
- OpenSSH at Fedora
Tunneling[edit]
Building an SSH tunnel can be very useful for working on the other side of firewalls.
- ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples
- chaining-ssh-tunnels - anattatechnologies
- howto-use-toad-over-an-ssh-tunnel
- connect-to-oracle-database-11g-server-through-ssh-tunnel
References[edit]
- http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
- http://en.wikipedia.org/wiki/Tunneling_protocol
- http://www.revsys.com/writings/quicktips/ssh-tunnel.html
- how-to-setup-ssh-tunnel-to-forward-ssh
Regenerate a public key from a private key[edit]
-y option spits out the public key!
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
A small script (seems to originate from Oracle) that sets up ssh keys between 2 accounts[edit]
if [ $# -lt 1 ]; then
echo Usage: $0 username@remotehost
exit
fi
remote="$1" # 1st command-line argument is the user@remotehost address
this=`hostname` # $HOST # name of client host
PATH=/usr/bin/ssh:$PATH
# first check if we need to run ssh-keygen for generating
# $HOME/.ssh with public and private keys:
if [ ! -d $HOME/.ssh ]; then
echo "just type RETURN for each question:" # no passphrase - unsecure
# generate RSA1, RSA and DSA keys:
echo; echo; echo
ssh-keygen -t rsa1
echo; echo; echo
ssh-keygen -t rsa
echo; echo; echo
ssh-keygen -t dsa
else
# we have $HOME/.ssh, but check that we have all types of
# keys (RSA1, RSA, DSA):
if [ ! -f $HOME/.ssh/identity ]; then
# generate RSA1 keys:
echo "just type RETURN for each question:" # no passphrase - unsecure
ssh-keygen -t rsa1
fi
if [ ! -f $HOME/.ssh/id_rsa ]; then
# generate RSA keys:
echo "just type RETURN for each question:" # no passphrase - unsecure
ssh-keygen -t rsa
fi
if [ ! -f $HOME/.ssh/id_dsa ]; then
# generate DSA keys:
echo "just type RETURN for each question:" # no passphrase - unsecure
ssh-keygen -t dsa
fi
fi
cd $HOME/.ssh
if [ ! -f config ]; then
# make ssh try ssh -1 (RSA1 keys) first and then ssh -2 (DSA keys)
echo "Protocol 1,2" > config
fi
# copy public keys (all three types) to the destination host:
echo; echo; echo
# create .ssh on remote host if it's not there:
ssh $remote 'if [ ! -d .ssh ]; then mkdir .ssh; fi'
# copy RSA1 key:
scp identity.pub ${remote}:.ssh/${this}_rsa1.pub
# copy RSA key:
scp id_rsa.pub ${remote}:.ssh/${this}_rsa.pub
# copy DSA key:
scp id_dsa.pub ${remote}:.ssh/${this}_dsa.pub
# make authorized_keys(2) files on remote host:
echo; echo; echo
# this one copies all three keys:
ssh $remote "cd .ssh; cat ${this}_rsa1.pub >> authorized_keys; cat ${this}_rsa.pub >> authorized_keys2; cat ${this}_dsa.pub >> authorized_keys2;"
# this one copies RSA1 and DSA keys:
ssh $remote "cd .ssh; cat ${this}_rsa1.pub >> authorized_keys; cat ${this}_dsa.pub >> authorized_keys2;"
echo; echo; echo
echo "try an ssh $remote"
A bigger (more elaborate) script that I also found embedded in an Oracle setup[edit]
#!/bin/sh
# Nitin Jerath - Aug 2005
#Usage sshUserSetup.sh -user <user name> [ -hosts \"<space separated hostlist>\" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]
#eg. sshUserSetup.sh -hosts "host1 host2" -user njerath -advanced
#This script is used to setup SSH connectivity from the host on which it is
# run to the specified remote hosts. After this script is run, the user can use # SSH to run commands on the remote hosts or copy files between the local host
# and the remote hosts without being prompted for passwords or confirmations.
# The list of remote hosts and the user name on the remote host is specified as
# a command line parameter to the script. Note that in case the user on the
# remote host has its home directory NFS mounted or shared across the remote
# hosts, this script should be used with -shared option.
#Specifying the -advanced option on the command line would result in SSH
# connectivity being setup among the remote hosts which means that SSH can be
# used to run commands on one remote host from the other remote host or copy
# files between the remote hosts without being prompted for passwords or
# confirmations.
#Please note that the script would remove write permissions on the remote hosts
#for the user home directory and ~/.ssh directory for "group" and "others". This
# is an SSH requirement. The user would be explicitly informed about this by teh script and prompted to continue. In case the user presses no, the script would exit. In case the user does not want to be prompted, he can use -confirm option.
# As a part of the setup, the script would use SSH to create files within ~/.ssh
# directory of the remote node and to setup the requisite permissions. The
#script also uses SCP to copy the local host public key to the remote hosts so
# that the remote hosts trust the local host for SSH. At the time, the script
#performs these steps, SSH connectivity has not been completely setup hence
# the script would prompt the user for the remote host password.
#For each remote host, for remote users with non-shared homes this would be
# done once for SSH and once for SCP. If the number of remote hosts are x, the
# user would be prompted 2x times for passwords. For remote users with shared
# homes, the user would be prompted only twice, once each for SCP and SSH.
#For security reasons, the script does not save passwords and reuse it. Also,
# for security reasons, the script does not accept passwords redirected from a
#file. The user has to key in the confirmations and passwords at the prompts.
#The -verify option means that the user just wants to verify whether SSH has
#been set up. In this case, the script would not setup SSH but would only check
# whether SSH connectivity has been setup from the local host to the remote
# hosts. The script would run the date command on each remote host using SSH. In
# case the user is prompted for a password or sees a warning message for a
#particular host, it means SSH connectivity has not been setup correctly for
# that host.
#In case the -verify option is not specified, the script would setup SSH and
#then do the verification as well.
#In case the user speciies the -exverify option, an exhaustive verification would be done. In that case, the following would be checked:
# 1. SSH connectivity from local host to all remote hosts.
# 2. SSH connectivity from each remote host to itself and other remote hosts.
#echo Parsing command line arguments
numargs=$#
ADVANCED=false
HOSTNAME=`hostname`
CONFIRM=no
SHARED=false
i=1
USR=$USER
if test -z "$TEMP"
then
TEMP=/tmp
fi
IDENTITY=id_rsa
LOGFILE=$TEMP/sshUserSetup_`date +%F-%H-%M-%S`.log
VERIFY=false
EXHAUSTIVE_VERIFY=false
HELP=false
PASSPHRASE=no
RERUN_SSHKEYGEN=no
NO_PROMPT_PASSPHRASE=no
while [ $i -le $numargs ]
do
j=$1
if [ $j = "-hosts" ]
then
HOSTS=$2
shift 1
i=`expr $i + 1`
fi
if [ $j = "-user" ]
then
USR=$2
shift 1
i=`expr $i + 1`
fi
if [ $j = "-logfile" ]
then
LOGFILE=$2
shift 1
i=`expr $i + 1`
fi
if [ $j = "-confirm" ]
then
CONFIRM=yes
fi
if [ $j = "-hostfile" ]
then
CLUSTER_CONFIGURATION_FILE=$2
shift 1
i=`expr $i + 1`
fi
if [ $j = "-usePassphrase" ]
then
PASSPHRASE=yes
fi
if [ $j = "-noPromptPassphrase" ]
then
NO_PROMPT_PASSPHRASE=yes
fi
if [ $j = "-shared" ]
then
SHARED=true
fi
if [ $j = "-exverify" ]
then
EXHAUSTIVE_VERIFY=true
fi
if [ $j = "-verify" ]
then
VERIFY=true
fi
if [ $j = "-advanced" ]
then
ADVANCED=true
fi
if [ $j = "-help" ]
then
HELP=true
fi
i=`expr $i + 1`
shift 1
done
if [ $HELP = "true" ]
then
echo "Usage $0 -user <user name> [ -hosts \"<space separated hostlist>\" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]"
echo "This script is used to setup SSH connectivity from the host on which it is run to the specified remote hosts. After this script is run, the user can use SSH to run commands on the remote hosts or copy files between the local host and the remote hosts without being prompted for passwords or confirmations. The list of remote hosts and the user name on the remote host is specified as a command line parameter to the script. "
echo "-user : User on remote hosts. "
echo "-hosts : Space separated remote hosts list. "
echo "-hostfile : The user can specify the host names either through the -hosts option or by specifying the absolute path of a cluster configuration file. A sample host file contents are below: "
echo
echo " stacg30 stacg30int 10.1.0.0 stacg30v -"
echo " stacg34 stacg34int 10.1.0.1 stacg34v -"
echo
echo " The first column in each row of the host file will be used as the host name."
echo
echo "-usePassphrase : The user wants to set up passphrase to encrypt the private key on the local host. "
echo "-noPromptPassphrase : The user does not want to be prompted for passphrase related questions. This is for users who want the default behavior to be followed."
echo "-shared : In case the user on the remote host has its home directory NFS mounted or shared across the remote hosts, this script should be used with -shared option. "
echo " It is possible for the user to determine whether a user's home directory is shared or non-shared. Let us say we want to determine that user user1's home directory is shared across hosts A, B and C."
echo " Follow the following steps:"
echo " 1. On host A, touch ~user1/checkSharedHome.tmp"
echo " 2. On hosts B and C, ls -al ~user1/checkSharedHome.tmp"
echo " 3. If the file is present on hosts B and C in ~user1 directory and"
echo " is identical on all hosts A, B, C, it means that the user's home "
echo " directory is shared."
echo " 4. On host A, rm -f ~user1/checkSharedHome.tmp"
echo " In case the user accidentally passes -shared option for non-shared homes or viceversa,SSH connectivity would only be set up for a subset of the hosts. The user would have to re-run the setyp script with the correct option to rectify this problem."
echo "-advanced : Specifying the -advanced option on the command line would result in SSH connectivity being setup among the remote hosts which means that SSH can be used to run commands on one remote host from the other remote host or copy files between the remote hosts without being prompted for passwords or confirmations."
echo "-confirm: The script would remove write permissions on the remote hosts for the user home directory and ~/.ssh directory for "group" and "others". This is an SSH requirement. The user would be explicitly informed about this by the script and prompted to continue. In case the user presses no, the script would exit. In case the user does not want to be prompted, he can use -confirm option."
echo "As a part of the setup, the script would use SSH to create files within ~/.ssh directory of the remote node and to setup the requisite permissions. The script also uses SCP to copy the local host public key to the remote hosts so that the remote hosts trust the local host for SSH. At the time, the script performs these steps, SSH connectivity has not been completely setup hence the script would prompt the user for the remote host password. "
echo "For each remote host, for remote users with non-shared homes this would be done once for SSH and once for SCP. If the number of remote hosts are x, the user would be prompted 2x times for passwords. For remote users with shared homes, the user would be prompted only twice, once each for SCP and SSH. For security reasons, the script does not save passwords and reuse it. Also, for security reasons, the script does not accept passwords redirected from a file. The user has to key in the confirmations and passwords at the prompts. "
echo "-verify : -verify option means that the user just wants to verify whether SSH has been set up. In this case, the script would not setup SSH but would only check whether SSH connectivity has been setup from the local host to the remote hosts. The script would run the date command on each remote host using SSH. In case the user is prompted for a password or sees a warning message for a particular host, it means SSH connectivity has not been setup correctly for that host. In case the -verify option is not specified, the script would setup SSH and then do the verification as well. "
echo "-exverify : In case the user speciies the -exverify option, an exhaustive verification for all hosts would be done. In that case, the following would be checked: "
echo " 1. SSH connectivity from local host to all remote hosts. "
echo " 2. SSH connectivity from each remote host to itself and other remote hosts. "
echo The -exverify option can be used in conjunction with the -verify option as well to do an exhaustive verification once the setup has been done.
echo "Taking some examples: Let us say local host is Z, remote hosts are A,B and C. Local user is njerath. Remote users are racqa(non-shared), aime(shared)."
echo "$0 -user racqa -hosts \"A B C\" -advanced -exverify -confirm"
echo "Script would set up connectivity from Z -> A, Z -> B, Z -> C, A -> A, A -> B, A -> C, B -> A, B -> B, B -> C, C -> A, C -> B, C -> C."
echo "Since user has given -exverify option, all these scenario would be verified too."
echo
echo "Now the user runs : $0 -user racqa -hosts \"A B C\" -verify"
echo "Since -verify option is given, no SSH setup would be done, only verification of existing setup. Also, since -exverify or -advanced options are not given, script would only verify connectivity from Z -> A, Z -> B, Z -> C"
echo "Now the user runs : $0 -user racqa -hosts \"A B C\" -verify -advanced"
echo "Since -verify option is given, no SSH setup would be done, only verification of existing setup. Also, since -advanced options is given, script would verify connectivity from Z -> A, Z -> B, Z -> C, A-> A, A->B, A->C, A->D"
echo "Now the user runs:"
echo "$0 -user aime -hosts \"A B C\" -confirm -shared"
echo "Script would set up connectivity between Z->A, Z->B, Z->C only since advanced option is not given."
echo "All these scenarios would be verified too."
exit
fi
if test -z "$HOSTS"
then
if test -n "$CLUSTER_CONFIGURATION_FILE" && test -f "$CLUSTER_CONFIGURATION_FILE"
then
HOSTS=`awk '$1 !~ /^#/ { str = str " " $1 } END { print str }' $CLUSTER_CONFIGURATION_FILE`
elif ! test -f "$CLUSTER_CONFIGURATION_FILE"
then
echo "Please specify a valid and existing cluster configuration file."
fi
fi
if test -z "$HOSTS" || test -z $USR
then
echo "Either user name or host information is missing"
echo "Usage $0 -user <user name> [ -hosts \"<space separated hostlist>\" | -hostfile <absolute path of cluster configuration file> ] [ -advanced ] [ -verify] [ -exverify ] [ -logfile <desired absolute path of logfile> ] [-confirm] [-shared] [-help] [-usePassphrase] [-noPromptPassphrase]"
exit 1
fi
if [ -d $LOGFILE ]; then
echo $LOGFILE is a directory, setting logfile to $LOGFILE/ssh.log
LOGFILE=$LOGFILE/ssh.log
fi
echo The output of this script is also logged into $LOGFILE | tee -a $LOGFILE
if [ `echo $?` != 0 ]; then
echo Error writing to the logfile $LOGFILE, Exiting
exit 1
fi
echo Hosts are $HOSTS | tee -a $LOGFILE
echo user is $USR | tee -a $LOGFILE
SSH="/usr/bin/ssh"
SCP="/usr/bin/scp"
SSH_KEYGEN="/usr/bin/ssh-keygen"
calculateOS()
{
platform=`uname -s`
case "$platform"
in
"SunOS") os=solaris;;
"Linux") os=linux;;
"HP-UX") os=hpunix;;
"AIX") os=aix;;
*) echo "Sorry, $platform is not currently supported." | tee -a $LOGFILE
exit 1;;
esac
echo "Platform:- $platform " | tee -a $LOGFILE
}
calculateOS
BITS=1024
ENCR="rsa"
deadhosts=""
alivehosts=""
if [ $platform = "Linux" ]
then
PING="/bin/ping"
else
PING="/usr/sbin/ping"
fi
#bug 9044791
if [ -n "$SSH_PATH" ]; then
SSH=$SSH_PATH
fi
if [ -n "$SCP_PATH" ]; then
SCP=$SCP_PATH
fi
if [ -n "$SSH_KEYGEN_PATH" ]; then
SSH_KEYGEN=$SSH_KEYGEN_PATH
fi
if [ -n "$PING_PATH" ]; then
PING=$PING_PATH
fi
PATH_ERROR=0
if test ! -x $SSH ; then
echo "ssh not found at $SSH. Please set the variable SSH_PATH to the correct location of ssh and retry."
PATH_ERROR=1
fi
if test ! -x $SCP ; then
echo "scp not found at $SCP. Please set the variable SCP_PATH to the correct location of scp and retry."
PATH_ERROR=1
fi
if test ! -x $SSH_KEYGEN ; then
echo "ssh-keygen not found at $SSH_KEYGEN. Please set the variable SSH_KEYGEN_PATH to the correct location of ssh-keygen and retry."
PATH_ERROR=1
fi
if test ! -x $PING ; then
echo "ping not found at $PING. Please set the variable PING_PATH to the correct location of ping and retry."
PATH_ERROR=1
fi
if [ $PATH_ERROR = 1 ]; then
echo "ERROR: one or more of the required binaries not found, exiting"
exit 1
fi
#9044791 end
echo Checking if the remote hosts are reachable | tee -a $LOGFILE
for host in $HOSTS
do
if [ $platform = "SunOS" ]; then
$PING -s $host 5 5
elif [ $platform = "HP-UX" ]; then
$PING $host -n 5 -m 5
else
$PING -c 5 -w 5 $host
fi
exitcode=`echo $?`
if [ $exitcode = 0 ]
then
alivehosts="$alivehosts $host"
else
deadhosts="$deadhosts $host"
fi
done
if test -z "$deadhosts"
then
echo Remote host reachability check succeeded. | tee -a $LOGFILE
echo The following hosts are reachable: $alivehosts. | tee -a $LOGFILE
echo The following hosts are not reachable: $deadhosts. | tee -a $LOGFILE
echo All hosts are reachable. Proceeding further... | tee -a $LOGFILE
else
echo Remote host reachability check failed. | tee -a $LOGFILE
echo The following hosts are reachable: $alivehosts. | tee -a $LOGFILE
echo The following hosts are not reachable: $deadhosts. | tee -a $LOGFILE
echo Please ensure that all the hosts are up and re-run the script. | tee -a $LOGFILE
echo Exiting now... | tee -a $LOGFILE
exit 1
fi
firsthost=`echo $HOSTS | awk '{print $1}; END { }'`
echo firsthost $firsthost
numhosts=`echo $HOSTS | awk '{ }; END {print NF}'`
echo numhosts $numhosts
if [ $VERIFY = "true" ]
then
echo Since user has specified -verify option, SSH setup would not be done. Only, existing SSH setup would be verified. | tee -a $LOGFILE
continue
else
echo The script will setup SSH connectivity from the host ''`hostname`'' to all | tee -a $LOGFILE
echo the remote hosts. After the script is executed, the user can use SSH to run | tee -a $LOGFILE
echo commands on the remote hosts or copy files between this host ''`hostname`'' | tee -a $LOGFILE
echo and the remote hosts without being prompted for passwords or confirmations. | tee -a $LOGFILE
echo | tee -a $LOGFILE
echo NOTE 1: | tee -a $LOGFILE
echo As part of the setup procedure, this script will use 'ssh' and 'scp' to copy | tee -a $LOGFILE
echo files between the local host and the remote hosts. Since the script does not | tee -a $LOGFILE
echo store passwords, you may be prompted for the passwords during the execution of | tee -a $LOGFILE
echo the script whenever 'ssh' or 'scp' is invoked. | tee -a $LOGFILE
echo | tee -a $LOGFILE
echo NOTE 2: | tee -a $LOGFILE
echo "AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY" | tee -a $LOGFILE
echo AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE | tee -a $LOGFILE
echo "directories." | tee -a $LOGFILE
echo | tee -a $LOGFILE
echo "Do you want to continue and let the script make the above mentioned changes (yes/no)?" | tee -a $LOGFILE
if [ "$CONFIRM" = "no" ]
then
read CONFIRM
else
echo "Confirmation provided on the command line" | tee -a $LOGFILE
fi
echo | tee -a $LOGFILE
echo The user chose ''$CONFIRM'' | tee -a $LOGFILE
if [ "$CONFIRM" = "no" ]
then
echo "SSH setup is not done." | tee -a $LOGFILE
exit 1
else
if [ $NO_PROMPT_PASSPHRASE = "yes" ]
then
echo "User chose to skip passphrase related questions." | tee -a $LOGFILE
else
typeset -i PASSPHRASE_PROMPT
if [ $SHARED = "true" ]
then
PASSPHRASE_PROMPT=2*${numhosts}+1
else
PASSPHRASE_PROMPT=2*${numhosts}
fi
echo "Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. " | tee -a $LOGFILE
echo "The estimated number of times the user would be prompted for a passphrase is $PASSPHRASE_PROMPT. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion. " | tee -a $LOGFILE
echo "Enter 'yes' or 'no'." | tee -a $LOGFILE
if [ $PASSPHRASE = "no" ]
then
read PASSPHRASE
else
echo "Confirmation provided on the command line" | tee -a $LOGFILE
fi
echo | tee -a $LOGFILE
echo The user chose ''$PASSPHRASE'' | tee -a $LOGFILE
if [ "$PASSPHRASE" = "yes" ]
then
RERUN_SSHKEYGEN="yes"
#Checking for existence of ${IDENTITY} file
if test -f $HOME/.ssh/${IDENTITY}.pub && test -f $HOME/.ssh/${IDENTITY}
then
echo "The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys." | tee -a $LOGFILE
echo "Press 'yes', 'no' or 'change'" | tee -a $LOGFILE
read RERUN_SSHKEYGEN
echo The user chose ''$RERUN_SSHKEYGEN'' | tee -a $LOGFILE
fi
else
if test -f $HOME/.ssh/${IDENTITY}.pub && test -f $HOME/.ssh/${IDENTITY}
then
echo "The files containing the client public and private keys already exist on the local host. The current private key may have a passphrase associated with it. In case you find using passphrase inconvenient(although it is more secure), you can change to it empty through this script. Press 'change' if you want the script to change the passphrase for you. Press 'no' if you want to use your old passphrase, if you had one."
read RERUN_SSHKEYGEN
echo The user chose ''$RERUN_SSHKEYGEN'' | tee -a $LOGFILE
fi
fi
fi
echo Creating .ssh directory on local host, if not present already | tee -a $LOGFILE
mkdir -p $HOME/.ssh | tee -a $LOGFILE
echo Creating authorized_keys file on local host | tee -a $LOGFILE
touch $HOME/.ssh/authorized_keys | tee -a $LOGFILE
echo Changing permissions on authorized_keys to 644 on local host | tee -a $LOGFILE
chmod 644 $HOME/.ssh/authorized_keys | tee -a $LOGFILE
mv -f $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.tmp | tee -a $LOGFILE
echo Creating known_hosts file on local host | tee -a $LOGFILE
touch $HOME/.ssh/known_hosts | tee -a $LOGFILE
echo Changing permissions on known_hosts to 644 on local host | tee -a $LOGFILE
chmod 644 $HOME/.ssh/known_hosts | tee -a $LOGFILE
mv -f $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.tmp | tee -a $LOGFILE
echo Creating config file on local host | tee -a $LOGFILE
echo If a config file exists already at $HOME/.ssh/config, it would be backed up to $HOME/.ssh/config.backup.
echo "Host *" > $HOME/.ssh/config.tmp | tee -a $LOGFILE
echo "ForwardX11 no" >> $HOME/.ssh/config.tmp | tee -a $LOGFILE
if test -f $HOME/.ssh/config
then
cp -f $HOME/.ssh/config $HOME/.ssh/config.backup
fi
mv -f $HOME/.ssh/config.tmp $HOME/.ssh/config | tee -a $LOGFILE
chmod 644 $HOME/.ssh/config
if [ $RERUN_SSHKEYGEN = "yes" ]
then
echo Removing old private/public keys on local host | tee -a $LOGFILE
rm -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
rm -f $HOME/.ssh/${IDENTITY}.pub | tee -a $LOGFILE
echo Running SSH keygen on local host | tee -a $LOGFILE
$SSH_KEYGEN -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
elif [ $RERUN_SSHKEYGEN = "change" ]
then
echo Running SSH Keygen on local host to change the passphrase associated with the existing private key | tee -a $LOGFILE
$SSH_KEYGEN -p -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
elif test -f $HOME/.ssh/${IDENTITY}.pub && test -f $HOME/.ssh/${IDENTITY}
then
continue
else
echo Removing old private/public keys on local host | tee -a $LOGFILE
rm -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
rm -f $HOME/.ssh/${IDENTITY}.pub | tee -a $LOGFILE
echo Running SSH keygen on local host with empty passphrase | tee -a $LOGFILE
$SSH_KEYGEN -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} -N '' | tee -a $LOGFILE
fi
if [ $SHARED = "true" ]
then
if [ $USER = $USR ]
then
#No remote operations required
echo Remote user is same as local user | tee -a $LOGFILE
REMOTEHOSTS=""
chmod og-w $HOME $HOME/.ssh | tee -a $LOGFILE
else
REMOTEHOSTS="${firsthost}"
fi
else
REMOTEHOSTS="$HOSTS"
fi
for host in $REMOTEHOSTS
do
echo Creating .ssh directory and setting permissions on remote host $host | tee -a $LOGFILE
echo "THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR "group" AND "others" ON THE HOME DIRECTORY FOR $USR. THIS IS AN SSH REQUIREMENT." | tee -a $LOGFILE
echo The script would create ~$USR/.ssh/config file on remote host $host. If a config file exists already at ~$USR/.ssh/config, it would be backed up to ~$USR/.ssh/config.backup. | tee -a $LOGFILE
echo The user may be prompted for a password here since the script would be running SSH on host $host. | tee -a $LOGFILE
$SSH -o StrictHostKeyChecking=no -x -l $USR $host "/bin/sh -c \" mkdir -p .ssh ; chmod og-w . .ssh; touch .ssh/authorized_keys .ssh/known_hosts; chmod 644 .ssh/authorized_keys .ssh/known_hosts; cp .ssh/authorized_keys .ssh/authorized_keys.tmp ; cp .ssh/known_hosts .ssh/known_hosts.tmp; echo \\"Host *\\" > .ssh/config.tmp; echo \\"ForwardX11 no\\" >> .ssh/config.tmp; if test -f .ssh/config ; then cp -f .ssh/config .ssh/config.backup; fi ; mv -f .ssh/config.tmp .ssh/config\"" | tee -a $LOGFILE
echo Done with creating .ssh directory and setting permissions on remote host $host. | tee -a $LOGFILE
done
for host in $REMOTEHOSTS
do
echo Copying local host public key to the remote host $host | tee -a $LOGFILE
echo The user may be prompted for a password or passphrase here since the script would be using SCP for host $host. | tee -a $LOGFILE
$SCP $HOME/.ssh/${IDENTITY}.pub $USR@$host:.ssh/authorized_keys | tee -a $LOGFILE
echo Done copying local host public key to the remote host $host | tee -a $LOGFILE
done
cat $HOME/.ssh/${IDENTITY}.pub >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE
for host in $HOSTS
do
if [ $ADVANCED = "true" ]
then
echo Creating keys on remote host $host if they do not exist already. This is required to setup SSH on host $host. | tee -a $LOGFILE
if [ $SHARED = "true" ]
then
IDENTITY_FILE_NAME=${IDENTITY}_$host
COALESCE_IDENTITY_FILES_COMMAND="cat .ssh/${IDENTITY_FILE_NAME}.pub >> .ssh/authorized_keys"
else
IDENTITY_FILE_NAME=${IDENTITY}
fi
$SSH -o StrictHostKeyChecking=no -x -l $USR $host " /bin/sh -c \"if test -f .ssh/${IDENTITY_FILE_NAME}.pub && test -f .ssh/${IDENTITY_FILE_NAME}; then echo; else rm -f .ssh/${IDENTITY_FILE_NAME} ; rm -f .ssh/${IDENTITY_FILE_NAME}.pub ; $SSH_KEYGEN -t $ENCR -b $BITS -f .ssh/${IDENTITY_FILE_NAME} -N '' ; fi; ${COALESCE_IDENTITY_FILES_COMMAND} \"" | tee -a $LOGFILE
else
#At least get the host keys from all hosts for shared case - advanced option not set
if test $SHARED = "true" && test $ADVANCED = "false"
then
if [ $PASSPHRASE = "yes" ]
then
echo "The script will fetch the host keys from all hosts. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE
fi
$SSH -o StrictHostKeyChecking=no -x -l $USR $host "/bin/sh -c true"
fi
fi
done
for host in $REMOTEHOSTS
do
if test $ADVANCED = "true" && test $SHARED = "false"
then
$SCP $USR@$host:.ssh/${IDENTITY}.pub $HOME/.ssh/${IDENTITY}.pub.$host | tee -a $LOGFILE
cat $HOME/.ssh/${IDENTITY}.pub.$host >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE
rm -f $HOME/.ssh/${IDENTITY}.pub.$host | tee -a $LOGFILE
fi
done
for host in $REMOTEHOSTS
do
if [ $ADVANCED = "true" ]
then
if [ $SHARED != "true" ]
then
echo Updating authorized_keys file on remote host $host | tee -a $LOGFILE
$SCP $HOME/.ssh/authorized_keys $USR@$host:.ssh/authorized_keys | tee -a $LOGFILE
fi
echo Updating known_hosts file on remote host $host | tee -a $LOGFILE
$SCP $HOME/.ssh/known_hosts $USR@$host:.ssh/known_hosts | tee -a $LOGFILE
fi
if [ $PASSPHRASE = "yes" ]
then
echo "The script will run SSH on the remote machine $host. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE
fi
$SSH -x -l $USR $host "/bin/sh -c \"cat .ssh/authorized_keys.tmp >> .ssh/authorized_keys; cat .ssh/known_hosts.tmp >> .ssh/known_hosts; rm -f .ssh/known_hosts.tmp .ssh/authorized_keys.tmp\"" | tee -a $LOGFILE
done
cat $HOME/.ssh/known_hosts.tmp >> $HOME/.ssh/known_hosts | tee -a $LOGFILE
cat $HOME/.ssh/authorized_keys.tmp >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE
#Added chmod to fix BUG NO 5238814
chmod 644 $HOME/.ssh/authorized_keys
#Fix for BUG NO 5157782
chmod 644 $HOME/.ssh/config
rm -f $HOME/.ssh/known_hosts.tmp $HOME/.ssh/authorized_keys.tmp | tee -a $LOGFILE
echo SSH setup is complete. | tee -a $LOGFILE
fi
fi
echo | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
echo Verifying SSH setup | tee -a $LOGFILE
echo =================== | tee -a $LOGFILE
echo The script will now run the 'date' command on the remote nodes using ssh | tee -a $LOGFILE
echo to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP, | tee -a $LOGFILE
echo THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR | tee -a $LOGFILE
echo PASSWORDS. If you see any output other than date or are prompted for the | tee -a $LOGFILE
echo password, ssh is not setup correctly and you will need to resolve the | tee -a $LOGFILE
echo issue and set up ssh again. | tee -a $LOGFILE
echo The possible causes for failure could be: | tee -a $LOGFILE
echo 1. The server settings in /etc/ssh/sshd_config file do not allow ssh | tee -a $LOGFILE
echo for user $USR. | tee -a $LOGFILE
echo 2. The server may have disabled public key based authentication.
echo 3. The client public key on the server may be outdated.
echo 4. ~$USR or ~$USR/.ssh on the remote host may not be owned by $USR. | tee -a $LOGFILE
echo 5. User may not have passed -shared option for shared remote users or | tee -a $LOGFILE
echo may be passing the -shared option for non-shared remote users. | tee -a $LOGFILE
echo 6. If there is output in addition to the date, but no password is asked, | tee -a $LOGFILE
echo it may be a security alert shown as part of company policy. Append the | tee -a $LOGFILE
echo "additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file." | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
#read -t 30 dummy
for host in $HOSTS
do
echo --$host:-- | tee -a $LOGFILE
echo Running $SSH -x -l $USR $host date to verify SSH connectivity has been setup from local host to $host. | tee -a $LOGFILE
echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR." | tee -a $LOGFILE
if [ $PASSPHRASE = "yes" ]
then
echo "The script will run SSH on the remote machine $host. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE
fi
$SSH -l $USR $host "/bin/sh -c date" | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
done
if [ $EXHAUSTIVE_VERIFY = "true" ]
then
for clienthost in $HOSTS
do
if [ $SHARED = "true" ]
then
REMOTESSH="$SSH -i .ssh/${IDENTITY}_${clienthost}"
else
REMOTESSH=$SSH
fi
for serverhost in $HOSTS
do
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
echo Verifying SSH connectivity has been setup from $clienthost to $serverhost | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL." | tee -a $LOGFILE
$SSH -l $USR $clienthost "$REMOTESSH $serverhost \"/bin/sh -c date\"" | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
done
echo -Verification from $clienthost complete- | tee -a $LOGFILE
done
else
if [ $ADVANCED = "true" ]
then
if [ $SHARED = "true" ]
then
REMOTESSH="$SSH -i .ssh/${IDENTITY}_${firsthost}"
else
REMOTESSH=$SSH
fi
for host in $HOSTS
do
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
echo Verifying SSH connectivity has been setup from $firsthost to $host | tee -a $LOGFILE
echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL." | tee -a $LOGFILE
$SSH -l $USR $firsthost "$REMOTESSH $host \"/bin/sh -c date\"" | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
done
echo -Verification from $clienthost complete- | tee -a $LOGFILE
fi
fi
echo "SSH verification complete." | tee -a $LOGFILE
Add this to /etc/ssh/sshrc to get the magic cookies added automatically[edit]
if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY |
cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | xauth -q -
fi
Some stuff I did to get tunnels open to an Oracle server - didn't work yet
(0)bey9at77@my_PC:/home/bey9at77/scripts> telnet 207.129.217.26 22 Trying 207.129.217.26... Connected to 207.129.217.26. Escape character is '^]'. SSH-2.0-OpenSSH_6.0 ^C Connection closed by foreign host. (0)bey9at77@my_PC:/home/bey9at77/scripts> netstat -an | grep 207 tcp 0 0 9.36.153.84:32904 9.36.207.26:22 ESTABLISHED unix 3 [ ] STREAM CONNECTED 20726525 /home/bey9at77/.pulse/202b121052083db8500c6fc00000001c-runtime/native unix 3 [ ] STREAM CONNECTED 20726524 unix 3 [ ] STREAM CONNECTED 5037207 /home/bey9at77/.pulse/202b121052083db8500c6fc00000001c-runtime/native
(0)bey9at77@my_PC:/home/bey9at77/scripts> /sbin/ifconfig
eth1 Link encap:Ethernet HWaddr 00:21:CC:65:A3:65
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:1250962 errors:0 dropped:0 overruns:0 frame:0
TX packets:975839 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:823202227 (785.0 MiB) TX bytes:187253577 (178.5 MiB)
Interrupt:20 Memory:f2500000-f2520000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:548763 errors:0 dropped:0 overruns:0 frame:0
TX packets:548763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:275281528 (262.5 MiB) TX bytes:275281528 (262.5 MiB)
virbr0 Link encap:Ethernet HWaddr 52:54:00:FD:BE:C9
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119495 errors:0 dropped:0 overruns:0 frame:0
TX packets:173181 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11358048 (10.8 MiB) TX bytes:188176715 (179.4 MiB)
(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -L [sudo] password for bey9at77: Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere tcp dpt:cfengine ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:vnc-server ACCEPT tcp -- anywhere anywhere tcp dpt:5901 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:5656 ACCEPT udp -- anywhere anywhere udp dpts:avt-profile-1:avt-profile-2 ACCEPT tcp -- anywhere anywhere tcp dpts:avt-profile-1:avt-profile-2 ACCEPT udp -- anywhere anywhere udp dpt:20830 ACCEPT tcp -- anywhere anywhere tcp dpt:20830 ACCEPT tcp -- anywhere anywhere tcp dpts:sip:na-localise ACCEPT udp -- anywhere anywhere udp dpts:sip:na-localise ACCEPT tcp -- anywhere anywhere tcp dpt:12080 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:21100 ACCEPT tcp -- anywhere anywhere tcp dpt:dc ACCEPT udp -- anywhere anywhere udp dpt:wizard ACCEPT ah -- anywhere anywhere ACCEPT esp -- anywhere anywhere ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp ACCEPT 254 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp router-advertisement ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy ACCEPT tcp -- anywhere anywhere tcp dpt:virtual-places ACCEPT udp -- anywhere anywhere state NEW udp dpt:52311 ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30005 DROP tcp -- anywhere anywhere tcp dpts:bootps:bootpc DROP udp -- anywhere anywhere udp dpts:bootps:bootpc DROP tcp -- anywhere anywhere tcp dpt:netbios-ns DROP udp -- anywhere anywhere udp dpt:netbios-ns DROP tcp -- anywhere anywhere tcp dpt:netbios-dgm DROP udp -- anywhere anywhere udp dpt:netbios-dgm DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn DROP udp -- anywhere anywhere udp dpt:netbios-ssn DROP tcp -- anywhere anywhere tcp dpts:tcpmux:ftp-data DROP tcp -- anywhere anywhere tcp dpt:sunrpc DROP tcp -- anywhere anywhere tcp dpts:snmp:snmptrap DROP tcp -- anywhere anywhere tcp dpt:efs DROP tcp -- anywhere anywhere tcp dpts:6348:6349 DROP tcp -- anywhere anywhere tcp dpts:6345:gnutella-rtr ACCEPT tcp -- anywhere 192.168.122.1 tcp dpt:microsoft-ds ACCEPT tcp -- anywhere 192.168.122.1 tcp dpt:proxima-lm ACCEPT tcp -- anywhere 192.168.123.1 tcp dpt:microsoft-ds ACCEPT tcp -- anywhere 192.168.123.1 tcp dpt:proxima-lm ACCEPT tcp -- anywhere anywhere tcp dpt:48500 ACCEPT tcp -- anywhere anywhere tcp dpt:48500 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere 192.168.123.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.123.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination (0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:localhost:1521 207.129.217.26 The authenticity of host '207.129.217.26 (207.129.217.26)' can't be established. RSA key fingerprint is 2d:70:2e:b4:12:48:e9:20:fd:b0:de:b1:b4:67:41:1f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '207.129.217.26' (RSA) to the list of known hosts. [email protected]'s password:
(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:localhost:9099 ehemgtaix -N The authenticity of host 'ehemgtaix (207.129.107.120)' can't be established. RSA key fingerprint is 63:0a:a8:27:99:1f:32:73:8e:94:22:cd:80:b3:73:10. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ehemgtaix,207.129.107.120' (RSA) to the list of known hosts. bey9at77@ehemgtaix's password:
(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:192.168.122.1:9099 exs4bars@ehemgtaix -N channel 1: open failed: connect failed: A remote host did not respond within the timeout period. channel 2: open failed: connect failed: A remote host did not respond within the timeout period. Connection to ehemgtaix closed by remote host. You have new mail in /var/spool/mail/bey9at77
(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521 ssh: connect to host 192.168.122.1 port 1521: Connection refused
(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -A INPUT -i virbr0 -p tcp --dport 1521 -j ACCEPT [sudo] password for bey9at77: (0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521 ssh: connect to host 192.168.122.1 port 1521: Connection refused
(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere tcp dpt:cfengine ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:vnc-server ACCEPT tcp -- anywhere anywhere tcp dpt:5901 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:5656 ACCEPT udp -- anywhere anywhere udp dpts:avt-profile-1:avt-profile-2 ACCEPT tcp -- anywhere anywhere tcp dpts:avt-profile-1:avt-profile-2 ACCEPT udp -- anywhere anywhere udp dpt:20830 ACCEPT tcp -- anywhere anywhere tcp dpt:20830 ACCEPT tcp -- anywhere anywhere tcp dpts:sip:na-localise ACCEPT udp -- anywhere anywhere udp dpts:sip:na-localise ACCEPT tcp -- anywhere anywhere tcp dpt:12080 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:21100 ACCEPT tcp -- anywhere anywhere tcp dpt:dc ACCEPT udp -- anywhere anywhere udp dpt:wizard ACCEPT ah -- anywhere anywhere ACCEPT esp -- anywhere anywhere ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp ACCEPT 254 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp router-advertisement ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy ACCEPT tcp -- anywhere anywhere tcp dpt:virtual-places ACCEPT udp -- anywhere anywhere state NEW udp dpt:52311 ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30005 DROP tcp -- anywhere anywhere tcp dpts:bootps:bootpc DROP udp -- anywhere anywhere udp dpts:bootps:bootpc DROP tcp -- anywhere anywhere tcp dpt:netbios-ns DROP udp -- anywhere anywhere udp dpt:netbios-ns DROP tcp -- anywhere anywhere tcp dpt:netbios-dgm DROP udp -- anywhere anywhere udp dpt:netbios-dgm DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn DROP udp -- anywhere anywhere udp dpt:netbios-ssn DROP tcp -- anywhere anywhere tcp dpts:tcpmux:ftp-data DROP tcp -- anywhere anywhere tcp dpt:sunrpc DROP tcp -- anywhere anywhere tcp dpts:snmp:snmptrap DROP tcp -- anywhere anywhere tcp dpt:efs DROP tcp -- anywhere anywhere tcp dpts:6348:6349 DROP tcp -- anywhere anywhere tcp dpts:6345:gnutella-rtr ACCEPT tcp -- anywhere 192.168.122.1 tcp dpt:microsoft-ds ACCEPT tcp -- anywhere 192.168.122.1 tcp dpt:proxima-lm ACCEPT tcp -- anywhere 192.168.123.1 tcp dpt:microsoft-ds ACCEPT tcp -- anywhere 192.168.123.1 tcp dpt:proxima-lm ACCEPT tcp -- anywhere anywhere tcp dpt:48500 ACCEPT tcp -- anywhere anywhere tcp dpt:48500 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: ' DROP all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ncube-lm Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere 192.168.123.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.123.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination (0)bey9at77@my_PC:/home/bey9at77/scripts> grep 1521 /etc/services ncube-lm 1521/tcp # nCube License Manager ncube-lm 1521/udp # nCube License Manager (0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -n -L -v --line-numbers Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 3 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 5 6665 477K ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 6 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 7 110 36134 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 8 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 9 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 10 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 11 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 12 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 13 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 14 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 15 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 16 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 17 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 18 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 19 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 20 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 21 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 22 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 23 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 24 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 25 640K 300M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 26 1526K 1015M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 27 33099 3880K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 28 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable 29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5308 30 3 152 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 31 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 32 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 33 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 34 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5656 35 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5004:5005 36 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5004:5005 37 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20830 38 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20830 39 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5062 40 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5062 41 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12080 42 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 43 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 44 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 45 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21100 46 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2001 47 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2001 48 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 49 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 50 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:500 51 0 0 ACCEPT 254 -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 52 37 3310 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 54 912 61240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 55 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 56 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 9 57 3746 225K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 58 93 4400 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 59 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 60 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 61 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1533 62 160 8120 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:52311 63 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30005 64 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:67:68 65 2175 714K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 66 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 67 71334 5594K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 68 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138 69 4358 974K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 70 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 71 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139 72 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:20 73 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 74 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:161:162 75 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 76 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6348:6349 77 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6345:6347 78 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 192.168.122.1 tcp dpt:445 79 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 192.168.122.1 tcp dpt:1445 80 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 192.168.123.1 tcp dpt:445 81 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 192.168.123.1 tcp dpt:1445 82 1222 63544 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48500 83 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48500 84 3878 177K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 85 6981 648K LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 86 47429 4007K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 87 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1521 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0 2 0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 3 0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 4 116K 183M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 5 95393 9448K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 6 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 7 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 8 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 9 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 10 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 11 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 12 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 13 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 14 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 15 0 0 ACCEPT all -- * virbr1 0.0.0.0/0 192.168.123.0/24 state RELATED,ESTABLISHED 16 0 0 ACCEPT all -- virbr1 * 192.168.123.0/24 0.0.0.0/0 17 0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0 18 0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 19 0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 2917 packets, 253K bytes) num pkts bytes target prot opt in out source destination (0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -I INPUT 78 -i virbr0 -p tcp --dport 1521 -j ACCEPT (0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -n -L -v --line-numbers Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 3 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 5 6670 477K ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 6 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 7 111 36462 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 8 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 9 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 10 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 11 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 12 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 13 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 14 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 15 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 16 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 17 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 18 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 19 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 20 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 21 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 22 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 23 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 24 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 25 642K 300M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 26 1526K 1015M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 27 33107 3881K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 28 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable 29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5308 30 3 152 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 31 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 32 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 33 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 34 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5656 35 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5004:5005 36 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5004:5005 37 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20830 38 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20830 39 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5062 40 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5062 41 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12080 42 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 43 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 44 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 45 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21100 46 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2001 47 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2001 48 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 49 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 50 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:500 51 0 0 ACCEPT 254 -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 52 37 3310 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 54 912 61240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 55 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 56 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 9 57 3749 225K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 58 93 4400 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 59 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 60 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 61 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1533 62 160 8120 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:52311 63 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30005 64 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:67:68 65 2175 714K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 66 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 67 71334 5594K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 68 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138 69 4358 974K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 70 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 71 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139 72 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:20 73 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 74 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:161:162 75 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 76 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6348:6349 77 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6345:6347 78 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1521 79 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 192.168.122.1 tcp dpt:445 80 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 192.168.122.1 tcp dpt:1445 81 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 192.168.123.1 tcp dpt:445 82 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 192.168.123.1 tcp dpt:1445 83 1223 63596 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48500 84 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48500 85 3879 177K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 86 6981 648K LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: ' 87 47430 4007K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 88 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1521 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0 2 0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 3 0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 4 116K 183M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 5 95444 9455K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 6 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 7 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 8 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 9 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 10 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 11 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 12 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 13 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 14 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 15 0 0 ACCEPT all -- * virbr1 0.0.0.0/0 192.168.123.0/24 state RELATED,ESTABLISHED 16 0 0 ACCEPT all -- virbr1 * 192.168.123.0/24 0.0.0.0/0 17 0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0 18 0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 19 0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 73 packets, 5937 bytes) num pkts bytes target prot opt in out source destination (0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521 ssh: connect to host 192.168.122.1 port 1521: Connection refused
