This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to ssh from sophos utm to vpn client

I have a slight issue, I am trying to ssh connect from inside the sophos utm box to a pptp vpn client.

I am able to ssh connect to clients that are on my internal network of 192.168.0.0

I am not able to ssh connect to clients that are on my pptp vpn network 10.242.1.0 from sophos utm itself, firewall log says default drop rule 60003.

I am able to ssh connect to clients that are on my pptp vpn network from the clients on the local network

I have passed 10.242.1.1 ---> port 2222 ----> 10.242.1.2 allow in the firewall.

I have tried different port numbers and tried adding as a dnat and checking log initial packet when watching real time log the initial packet comes up white but then is quickly dropped by 60003

 

when looking at the log I see

2018:07:29-02:19:04 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="52858" dstport="2222" tcpflags="SYN" 
2018:07:29-02:19:05 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="52858" dstport="2222" tcpflags="SYN"
2018:07:29-02:19:07 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="52858" dstport="2222" tcpflags="SYN"
2018:07:29-02:19:10 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="52832" dstport="2222" tcpflags="SYN"
2018:07:29-02:19:11 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="52858" dstport="2222" tcpflags="SYN"
2018:07:29-02:19:19 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="52858" dstport="2222" tcpflags="SYN"


2018:07:29-09:02:33 shortsdedicated ulogd[4049]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62054" outitf="ppp0" srcmac="**:**:**:00:51:5b"srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:33 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:34 shortsdedicated ulogd[4049]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62054" outitf="ppp0" srcmac="**:**:**:00:4f:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:34 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:36 shortsdedicated ulogd[4049]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62054" outitf="ppp0" srcmac="**:**:**:00:4f:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:36 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:40 shortsdedicated ulogd[4049]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62054" outitf="ppp0" srcmac="**:**:**:00:4f:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:40 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:48 shortsdedicated ulogd[4049]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62054" outitf="ppp0" srcmac="**:**:**:00:4f:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"
2018:07:29-09:02:48 shortsdedicated ulogd[4049]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="ppp0" srcmac="**:**:**:00:51:5b" srcip="10.242.1.1" dstip="10.242.1.2" proto="6" length="56" tos="0x00" prec="0x00" ttl="64" srcport="59698" dstport="2222" tcpflags="SYN"


Thank you for any assistance.


This thread was automatically locked due to age.
Parents
  • Hi SnS and welcome to the UTM Community!

    fwrule="60003"

    These packets are being dropped out of the OUTPUT chain.  Please show the Edit of the firewall rule you made to allow this traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the welcome, below is my first attempt ended up trying both port 22 and 2222 then when that just kept getting dropped in the firewall I tried the dnat which is below.

     

     

    logged the initial packet to see in the log and then the auto fire wall rule to go with it, which in the log you can see its trying but then gets dropped.

     

     

    to further ensure we are on the same page here is a simple explanation what im trying to do.

    from windows pc i use putty and ssh into sophosutm as root, then run ssh -p 2222 username@192.168.0.*  and it connects with no issues.

    from windows pc i use putty and ssh into sophosutm as root, then run ssh -p 2222 username@10.242.1.2  and connection times out due to firewall issue.

    Thank again,

    Stubbs

  • How about a pic of the Edit of the SSL VPN Profile?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob, Currently I am not running ssl vpn, I am using PPTP as the vpn service.

    I am sure what I am attempting to do is not normal for most users, I have a script that updates some certs, then each day it pushes these certs over ssh to some of the clients on my local network, I was also hoping to use this and push a cert to a client the is connected to the vpn 24/7. once SSH will connect then the rest should work just fine.

    Thanks.

     

  • Ah yes, you did say PPTP.  Do you have a firewall rule like 'VPN Pool (PPTP) -> Any -> VPN Pool (PPTP) : Allow'?

    Cheers - Bob

    NOTE 02 Aug 2018: Corrected "SSL" to "PPTP"

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No entries for SSL VPN in my firewall or nat. I did try and make a rule like VPN Pool (PPTP) -> Any -> VPN Pool (PPTP) : Allow and it is still being dropped. even trying Any -> Any -> Any it still drops in the firewall log. I am leaning to something hard coded/configured to not allow a ssh connection from the utm to clients on the vpn network. Now if only I could figure out what needs modified. I dont believe its ssh its self, because its being dropped at firewall, especially after having the ssh server listen on multiple ports and trying to connect to different ports.

    Also if i add the pptp vpn network to the ssh config i am able to connect from the vpn client to the utm, how ever utm to vpn client still does not work.

    Stubbs

  • After some more digging around I am onto something, I am now able to connect. Next step is to see if we can make this work via webadmin or if I need to write a script to to handle this for me.

    This does the trick, all handled under the filter section of iptables:

    iptables -I OUTPUT -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

     

    note you must use -I to put at top of list, if you use -A to add it to the bottom it falls below the default drop rule.

    -A OUTPUT -o ppp0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A OUTPUT ! -s 127.0.0.0/8 -o lo -p tcp -m tcp --sport 1024:65535 --dport 4444 -m logmark --logmark 60005  -j LOGDROP
    -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 4472 -m owner --uid-owner 100 -j LOGDROP
    -A OUTPUT -o lo -p tcp -m tcp --dport 3002 -j LOCAL_RESTAPI
    -A OUTPUT -o lo -p tcp -m tcp --dport 3498 -j LOCAL_RESTAPI
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT ! -d 224.0.0.0/4 -m confirmed -j ACCEPT
    -A OUTPUT -m conntrack --ctstate RELATED -j CONFIRMED
    -A OUTPUT -m condition --condition "OUTPUT_ACCEPT_ALL"  -m owner --uid-owner 0 --gid-owner 0 -j CONFIRMED
    -A OUTPUT -j HA_OUT
    -A OUTPUT -j SANITY_CHECKS
    -A OUTPUT -j AUTO_OUTPUT
    -A OUTPUT -j USR_OUTPUT
    -A OUTPUT -m logmark --logmark 60003  -j LOGDROP

  • Excellent work!  Does that survive a reboot?  I suspect you will need to add a cron job to put that back @reboot - did you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Definitely will not survive a reboot, pretty much anytime anything in Web Application Firewall is touched it will reload most all routing configs, but that is ok. I already have an automated script to add wss support to the reverse proxy config file and restart the reverseproxy anytime its not found in the config file and seams that gets wiped every time the iptables get redone so I can just use that script and add another line, or what I may do to make it a standalone component is make a small ram disk and then every minute write the output of iptables --list-rules to a text file in the ram disk and then use a script to read it, if my entry isn't there, then add the line to iptables else do nothing.

  • went ahead and reworked my wss script to fit my needs here and figured may as well wrap this thread up with the code. I am no professional, just know enough to get what I need done. if you use this code dont forget to mount your ramdisk.

     

    #Script to added ssh over ppp0 to iptables if config is modified by sophos utm
    #crontab must contain:
    #       SHELL=/bin/sh
    #       PATH=/sbin:/usr/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin
    #       * * * * * python /root/sshppp0.py
    #                   to log add                 >> /root/sshppp0.log 2>&1
    #        @reboot /bin/sleep 15 ; mount -t tmpfs -o size=8M tmpfs /root/ramdisk &


    import os
    import time
    import subprocess
    from datetime import timedelta
    with open('/proc/uptime', 'r') as g:
        uptime_seconds = float(g.readline().split()[0])
    #print(uptime_seconds)
    if uptime_seconds < 60:
            print "waiting for system to fully boot"
            time.sleep(60)
    update = 0
    os.system("iptables --list-rules >> /root/ramdisk/iptables.log 2>&1")
    time.sleep(2)
    with open('/root/ramdisk/iptables.log', 'r') as f:
        f_contents = f.readlines()
        f_contents_readable = f.read()
        print(f_contents_readable)
        for line in f_contents:
            #print f_contents
            if "-A OUTPUT -o ppp0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT\n" in line:
                print('Match Found')
                update = 1
    if update == 0:
        os.system("iptables -I OUTPUT -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT")
        time.sleep(2)
        update = 2

    print update
    time.sleep (5)
    if update == 0:
        print "ssh over ppp0 not updated"
    if update == 2:
        print "ssh over ppp0 updated"
        def send_mail(subject, content):
            import smtplib
            from email.mime.text import MIMEText
            SERVER = "smtp.gmail.com"
            PORT = "465"
            USER = "user@gmail.com"
            PASS = ""
            FROM = "user <user@gmail.com>"
            TO = "user@gmail.com"

            SUBJECT = subject
            TEXT = content

            message = MIMEText(TEXT)
            message['Subject'] = 'added ssh over ppp0 to iptables'
            message['From'] = FROM
            message['To'] = TO

            server = smtplib.SMTP_SSL(SERVER, PORT)
            server.login (USER, PASS)
            server.sendmail(FROM, TO, message.as_string())
            server.quit()

        send_mail('', '')
        
    os.system("rm /root/ramdisk/iptables.log")

Reply
  • went ahead and reworked my wss script to fit my needs here and figured may as well wrap this thread up with the code. I am no professional, just know enough to get what I need done. if you use this code dont forget to mount your ramdisk.

     

    #Script to added ssh over ppp0 to iptables if config is modified by sophos utm
    #crontab must contain:
    #       SHELL=/bin/sh
    #       PATH=/sbin:/usr/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin
    #       * * * * * python /root/sshppp0.py
    #                   to log add                 >> /root/sshppp0.log 2>&1
    #        @reboot /bin/sleep 15 ; mount -t tmpfs -o size=8M tmpfs /root/ramdisk &


    import os
    import time
    import subprocess
    from datetime import timedelta
    with open('/proc/uptime', 'r') as g:
        uptime_seconds = float(g.readline().split()[0])
    #print(uptime_seconds)
    if uptime_seconds < 60:
            print "waiting for system to fully boot"
            time.sleep(60)
    update = 0
    os.system("iptables --list-rules >> /root/ramdisk/iptables.log 2>&1")
    time.sleep(2)
    with open('/root/ramdisk/iptables.log', 'r') as f:
        f_contents = f.readlines()
        f_contents_readable = f.read()
        print(f_contents_readable)
        for line in f_contents:
            #print f_contents
            if "-A OUTPUT -o ppp0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT\n" in line:
                print('Match Found')
                update = 1
    if update == 0:
        os.system("iptables -I OUTPUT -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT")
        time.sleep(2)
        update = 2

    print update
    time.sleep (5)
    if update == 0:
        print "ssh over ppp0 not updated"
    if update == 2:
        print "ssh over ppp0 updated"
        def send_mail(subject, content):
            import smtplib
            from email.mime.text import MIMEText
            SERVER = "smtp.gmail.com"
            PORT = "465"
            USER = "user@gmail.com"
            PASS = ""
            FROM = "user <user@gmail.com>"
            TO = "user@gmail.com"

            SUBJECT = subject
            TEXT = content

            message = MIMEText(TEXT)
            message['Subject'] = 'added ssh over ppp0 to iptables'
            message['From'] = FROM
            message['To'] = TO

            server = smtplib.SMTP_SSL(SERVER, PORT)
            server.login (USER, PASS)
            server.sendmail(FROM, TO, message.as_string())
            server.quit()

        send_mail('', '')
        
    os.system("rm /root/ramdisk/iptables.log")

Children
No Data