OK, I’m not entirely sure how useful this is, but since I know that I only want to give SSH access to my home box from one external box (with a fixed IP address), I might as well configure it to accept only connections from that machine.
It is my machine at work, which I trust to be parasite-free. I would never SSH in from just a random box – what use is a secure shell if you don’t trust the end-point you’re using? So anyway, I thought I’d make some nice shorewall rules. Accepting SSH connections only from one address and dropping requests from any other addresses doesn’t necessarily make things more secure, but at the very least it saves some log output.
Given the setup of the home network, it turned out that I in fact needed two rules (it took a few minutes before I got my head around that). The box that runs shorewall also acts as a wireless access point, using IP masquerading (set up through /etc/shorewall/masq) to share the wired connection. I already had these policies set up in /etc/shorewall/policy:
#SOURCE DEST POLICY LOG LEVEL net $FW DROP info net loc DROP info net all DROP info
which I think is pretty much standard (note: I’m leaving out empty columns at the end). Now, I needed a rule in /etc/shorewall/rules to make an exception from these default policies:
#ACTION SOURCE DEST PROTO DEST # PORT ACCEPT net:XXX.XXX.XXX.XXX $FW tcp ssh
where XXX is the IP address of the machine at work. Now, that (somewhat to my surprise) didn’t quite work. I could now see my home machine from the work machine (i.e. the SSH request was rejected rather than dropped), but I wasn’t allowed in. The reason is of course that when you use IP masquerading, the system needs to know where to route incoming connections to. So a second rule in /etc/shorewall/rules was needed:
DNAT net:XXX.XXX.XXX.XXX loc:YYY.YYY.YYY.YYY tcp ssh
…and that fixed it. Maybe I could have even more fun if I selected the incoming connections by MAC-address (through /etc/shorewall/maclist), but that’s for another day. The coolest thing: to get this going I didn’t need to refer to any documentation other than the examples at the top of the configuration files. Now that is good documentation.