SSH only accepts connections from a specific IP address range
by Jason.nix from LinuxQuestions.org on (#6KJX9)
Hello,
I installed Docker on a Debian and my iptables rules are:
Code:-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-646660b25eeb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-646660b25eeb -j DOCKER
-A FORWARD -i br-646660b25eeb ! -o br-646660b25eeb -j ACCEPT
-A FORWARD -i br-646660b25eeb -o br-646660b25eeb -j ACCEPT
-A FORWARD -o br-81041652e829 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-81041652e829 -j DOCKER
-A FORWARD -i br-81041652e829 ! -o br-81041652e829 -j ACCEPT
-A FORWARD -i br-81041652e829 -o br-81041652e829 -j ACCEPT
-A FORWARD -o br-b13678883aac -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b13678883aac -j DOCKER
-A FORWARD -i br-b13678883aac ! -o br-b13678883aac -j ACCEPT
-A FORWARD -i br-b13678883aac -o br-b13678883aac -j ACCEPT
-A FORWARD -o br-1b1370bfafc6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1b1370bfafc6 -j DOCKER
-A FORWARD -i br-1b1370bfafc6 ! -o br-1b1370bfafc6 -j ACCEPT
-A FORWARD -i br-1b1370bfafc6 -o br-1b1370bfafc6 -j ACCEPT
-A FORWARD -o br-f14b192fe8d5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f14b192fe8d5 -j DOCKER
-A FORWARD -i br-f14b192fe8d5 ! -o br-f14b192fe8d5 -j ACCEPT
-A FORWARD -i br-f14b192fe8d5 -o br-f14b192fe8d5 -j ACCEPT
-A FORWARD -o br-e2386c174feb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e2386c174feb -j DOCKER
-A FORWARD -i br-e2386c174feb ! -o br-e2386c174feb -j ACCEPT
-A FORWARD -i br-e2386c174feb -o br-e2386c174feb -j ACCEPT
-A FORWARD -o br-934ab550fff1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-934ab550fff1 -j DOCKER
-A FORWARD -i br-934ab550fff1 ! -o br-934ab550fff1 -j ACCEPT
-A FORWARD -i br-934ab550fff1 -o br-934ab550fff1 -j ACCEPT
-A FORWARD -o br-5a13cc881d3a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5a13cc881d3a -j DOCKER
-A FORWARD -i br-5a13cc881d3a ! -o br-5a13cc881d3a -j ACCEPT
-A FORWARD -i br-5a13cc881d3a -o br-5a13cc881d3a -j ACCEPT
-A DOCKER -d 172.24.0.2/32 ! -i br-b13678883aac -o br-b13678883aac -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1b1370bfafc6 ! -o br-1b1370bfafc6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e2386c174feb ! -o br-e2386c174feb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b13678883aac ! -o br-b13678883aac -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-934ab550fff1 ! -o br-934ab550fff1 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-81041652e829 ! -o br-81041652e829 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-646660b25eeb ! -o br-646660b25eeb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5a13cc881d3a ! -o br-5a13cc881d3a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f14b192fe8d5 ! -o br-f14b192fe8d5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1b1370bfafc6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e2386c174feb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b13678883aac -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-934ab550fff1 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-81041652e829 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-646660b25eeb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5a13cc881d3a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f14b192fe8d5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURNThe SSH configuration file is as follows:
Code:Port 22
ListenAddress 172.20.2.58
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverMy PC IP address is 172.21.50.67 and I can only connect to this server from the IP address range 172.20.2.X. Why?
Thank you.
I installed Docker on a Debian and my iptables rules are:
Code:-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-646660b25eeb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-646660b25eeb -j DOCKER
-A FORWARD -i br-646660b25eeb ! -o br-646660b25eeb -j ACCEPT
-A FORWARD -i br-646660b25eeb -o br-646660b25eeb -j ACCEPT
-A FORWARD -o br-81041652e829 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-81041652e829 -j DOCKER
-A FORWARD -i br-81041652e829 ! -o br-81041652e829 -j ACCEPT
-A FORWARD -i br-81041652e829 -o br-81041652e829 -j ACCEPT
-A FORWARD -o br-b13678883aac -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b13678883aac -j DOCKER
-A FORWARD -i br-b13678883aac ! -o br-b13678883aac -j ACCEPT
-A FORWARD -i br-b13678883aac -o br-b13678883aac -j ACCEPT
-A FORWARD -o br-1b1370bfafc6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1b1370bfafc6 -j DOCKER
-A FORWARD -i br-1b1370bfafc6 ! -o br-1b1370bfafc6 -j ACCEPT
-A FORWARD -i br-1b1370bfafc6 -o br-1b1370bfafc6 -j ACCEPT
-A FORWARD -o br-f14b192fe8d5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f14b192fe8d5 -j DOCKER
-A FORWARD -i br-f14b192fe8d5 ! -o br-f14b192fe8d5 -j ACCEPT
-A FORWARD -i br-f14b192fe8d5 -o br-f14b192fe8d5 -j ACCEPT
-A FORWARD -o br-e2386c174feb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e2386c174feb -j DOCKER
-A FORWARD -i br-e2386c174feb ! -o br-e2386c174feb -j ACCEPT
-A FORWARD -i br-e2386c174feb -o br-e2386c174feb -j ACCEPT
-A FORWARD -o br-934ab550fff1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-934ab550fff1 -j DOCKER
-A FORWARD -i br-934ab550fff1 ! -o br-934ab550fff1 -j ACCEPT
-A FORWARD -i br-934ab550fff1 -o br-934ab550fff1 -j ACCEPT
-A FORWARD -o br-5a13cc881d3a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5a13cc881d3a -j DOCKER
-A FORWARD -i br-5a13cc881d3a ! -o br-5a13cc881d3a -j ACCEPT
-A FORWARD -i br-5a13cc881d3a -o br-5a13cc881d3a -j ACCEPT
-A DOCKER -d 172.24.0.2/32 ! -i br-b13678883aac -o br-b13678883aac -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1b1370bfafc6 ! -o br-1b1370bfafc6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e2386c174feb ! -o br-e2386c174feb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b13678883aac ! -o br-b13678883aac -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-934ab550fff1 ! -o br-934ab550fff1 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-81041652e829 ! -o br-81041652e829 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-646660b25eeb ! -o br-646660b25eeb -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5a13cc881d3a ! -o br-5a13cc881d3a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f14b192fe8d5 ! -o br-f14b192fe8d5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1b1370bfafc6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e2386c174feb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b13678883aac -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-934ab550fff1 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-81041652e829 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-646660b25eeb -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5a13cc881d3a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f14b192fe8d5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURNThe SSH configuration file is as follows:
Code:Port 22
ListenAddress 172.20.2.58
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverMy PC IP address is 172.21.50.67 and I can only connect to this server from the IP address range 172.20.2.X. Why?
Thank you.