YC’s playground

OK, I’m not entirely sure how useful this is, but since I know that I only want to give SSH access to my home box from one external box (with a fixed IP address), I might as well configure it to accept only connections from that machine.

It is my machine at work, which I trust to be parasite-free. I would never SSH in from just a random box – what use is a secure shell if you don’t trust the end-point you’re using? So anyway, I thought I’d make some nice shorewall rules. Accepting SSH connections only from one address and dropping requests from any other addresses doesn’t necessarily make things more secure, but at the very least it saves some log output.

Given the setup of the home network, it turned out that I in fact needed two rules (it took a few minutes before I got my head around that). The box that runs shorewall also acts as a wireless access point, using IP masquerading (set up through /etc/shorewall/masq) to share the wired connection. I already had these policies set up in /etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG LEVEL
net             $FW             DROP            info
net             loc             DROP            info
net             all             DROP            info

which I think is pretty much standard (note: I’m leaving out empty columns at the end). Now, I needed a rule in /etc/shorewall/rules to make an exception from these default policies:

#ACTION         SOURCE                DEST                  PROTO   DEST
#                                                                   PORT
ACCEPT          net:XXX.XXX.XXX.XXX   $FW                   tcp     ssh

where XXX is the IP address of the machine at work. Now, that (somewhat to my surprise) didn’t quite work. I could now see my home machine from the work machine (i.e. the SSH request was rejected rather than dropped), but I wasn’t allowed in. The reason is of course that when you use IP masquerading, the system needs to know where to route incoming connections to. So a second rule in /etc/shorewall/rules was needed:

DNAT            net:XXX.XXX.XXX.XXX   loc:YYY.YYY.YYY.YYY   tcp     ssh

…and that fixed it. Maybe I could have even more fun if I selected the incoming connections by MAC-address (through /etc/shorewall/maclist), but that’s for another day. The coolest thing: to get this going I didn’t need to refer to any documentation other than the examples at the top of the configuration files. Now that is good documentation.