unable to ssh from sophos utm to vpn client

Hi SnS and welcome to the UTM Community!

fwrule="60003"

These packets are being dropped out of the OUTPUT chain.  Please show the Edit of the firewall rule you made to allow this traffic.

Cheers - Bob

Hi SnS and welcome to the UTM Community!

fwrule="60003"

These packets are being dropped out of the OUTPUT chain.  Please show the Edit of the firewall rule you made to allow this traffic.

Cheers - Bob

Thanks for the welcome, below is my first attempt ended up trying both port 22 and 2222 then when that just kept getting dropped in the firewall I tried the dnat which is below.

logged the initial packet to see in the log and then the auto fire wall rule to go with it, which in the log you can see its trying but then gets dropped.

to further ensure we are on the same page here is a simple explanation what im trying to do.

from windows pc i use putty and ssh into sophosutm as root, then run ssh -p 2222 username@192.168.0.*  and it connects with no issues.

from windows pc i use putty and ssh into sophosutm as root, then run ssh -p 2222 username@10.242.1.2  and connection times out due to firewall issue.

Thank again,

Stubbs

How about a pic of the Edit of the SSL VPN Profile?

Cheers - Bob

Hey Bob, Currently I am not running ssl vpn, I am using PPTP as the vpn service.

I am sure what I am attempting to do is not normal for most users, I have a script that updates some certs, then each day it pushes these certs over ssh to some of the clients on my local network, I was also hoping to use this and push a cert to a client the is connected to the vpn 24/7. once SSH will connect then the rest should work just fine.

Thanks.

Ah yes, you did say PPTP.  Do you have a firewall rule like 'VPN Pool (PPTP) -> Any -> VPN Pool (PPTP) : Allow'?

Cheers - Bob

NOTE 02 Aug 2018: Corrected "SSL" to "PPTP"

No entries for SSL VPN in my firewall or nat. I did try and make a rule like VPN Pool (PPTP) -> Any -> VPN Pool (PPTP) : Allow and it is still being dropped. even trying Any -> Any -> Any it still drops in the firewall log. I am leaning to something hard coded/configured to not allow a ssh connection from the utm to clients on the vpn network. Now if only I could figure out what needs modified. I dont believe its ssh its self, because its being dropped at firewall, especially after having the ssh server listen on multiple ports and trying to connect to different ports.

Also if i add the pptp vpn network to the ssh config i am able to connect from the vpn client to the utm, how ever utm to vpn client still does not work.

Stubbs

After some more digging around I am onto something, I am now able to connect. Next step is to see if we can make this work via webadmin or if I need to write a script to to handle this for me.

This does the trick, all handled under the filter section of iptables:

iptables -I OUTPUT -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

note you must use -I to put at top of list, if you use -A to add it to the bottom it falls below the default drop rule.

-A OUTPUT -o ppp0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005  -j LOGDROP
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 4472 -m owner --uid-owner 100 -j LOGDROP
-A OUTPUT -o lo -p tcp -m tcp --dport 3002 -j LOCAL_RESTAPI
-A OUTPUT -o lo -p tcp -m tcp --dport 3498 -j LOCAL_RESTAPI
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -d 224.0.0.0/4 -m confirmed -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED
-A OUTPUT -m condition --condition "OUTPUT_ACCEPT_ALL"  -m owner --uid-owner 0 --gid-owner 0 -j CONFIRMED
-A OUTPUT -j HA_OUT
-A OUTPUT -j SANITY_CHECKS
-A OUTPUT -j AUTO_OUTPUT
-A OUTPUT -j USR_OUTPUT
-A OUTPUT -m logmark --logmark 60003  -j LOGDROP

Excellent work!  Does that survive a reboot?  I suspect you will need to add a cron job to put that back @reboot - did you?

Cheers - Bob

Definitely will not survive a reboot, pretty much anytime anything in Web Application Firewall is touched it will reload most all routing configs, but that is ok. I already have an automated script to add wss support to the reverse proxy config file and restart the reverseproxy anytime its not found in the config file and seams that gets wiped every time the iptables get redone so I can just use that script and add another line, or what I may do to make it a standalone component is make a small ram disk and then every minute write the output of iptables --list-rules to a text file in the ram disk and then use a script to read it, if my entry isn't there, then add the line to iptables else do nothing.

went ahead and reworked my wss script to fit my needs here and figured may as well wrap this thread up with the code. I am no professional, just know enough to get what I need done. if you use this code dont forget to mount your ramdisk.

#Script to added ssh over ppp0 to iptables if config is modified by sophos utm
#crontab must contain:
#       SHELL=/bin/sh
#       PATH=/sbin:/usr/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin
#       * * * * * python /root/sshppp0.py
#                   to log add                 >> /root/sshppp0.log 2>&1
#        @reboot /bin/sleep 15 ; mount -t tmpfs -o size=8M tmpfs /root/ramdisk &


import os
import time
import subprocess
from datetime import timedelta
with open('/proc/uptime', 'r') as g:
    uptime_seconds = float(g.readline().split()[0])
#print(uptime_seconds)
if uptime_seconds < 60:
        print "waiting for system to fully boot"
        time.sleep(60)
update = 0
os.system("iptables --list-rules >> /root/ramdisk/iptables.log 2>&1")
time.sleep(2)
with open('/root/ramdisk/iptables.log', 'r') as f:
    f_contents = f.readlines()
    f_contents_readable = f.read()
    print(f_contents_readable)
    for line in f_contents:
        #print f_contents
        if "-A OUTPUT -o ppp0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT\n" in line:
            print('Match Found')
            update = 1
if update == 0:
    os.system("iptables -I OUTPUT -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT")
    time.sleep(2)
    update = 2

print update
time.sleep (5)
if update == 0:
    print "ssh over ppp0 not updated"
if update == 2:
    print "ssh over ppp0 updated"
    def send_mail(subject, content):
        import smtplib
        from email.mime.text import MIMEText
        SERVER = "smtp.gmail.com"
        PORT = "465"
        USER = "user@gmail.com"
        PASS = ""
        FROM = "user <user@gmail.com>"
        TO = "user@gmail.com"

        SUBJECT = subject
        TEXT = content

        message = MIMEText(TEXT)
        message['Subject'] = 'added ssh over ppp0 to iptables'
        message['From'] = FROM
        message['To'] = TO

        server = smtplib.SMTP_SSL(SERVER, PORT)
        server.login (USER, PASS)
        server.sendmail(FROM, TO, message.as_string())
        server.quit()

    send_mail('', '')
    
os.system("rm /root/ramdisk/iptables.log")