Resolvi meu próprio problema, a pergunta que tive depois de "editar".
Adicionando esta regra à minha cadeia de Encaminhamento no iptables resolveu o problema
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
Eu tenho uma caixa 'foo' que tem o sshd em execução. Desejo ssh para esta máquina via Box 'bar'. A caixa 'foo' tem o endereço IP 10.0.0.100 e a caixa 'bar' tem o IP 10.0.0.109. O gateway para essas duas máquinas é 10.0.0.10. Se eu estiver fora da LAN, posso fazer um simples envio para o 'foo'.
Eu temo que tenha algo a ver com meus iptables sendo executados no gateway. Alguém pode checar meu trabalho para mim? Eu não consigo descobrir.
Parece que não há rota entre máquinas na LAN. Deve-se mencionar que Box 'foo' está conectado ao gateway via eth1 (gateway) e Box 'bar' está conectado via wlan0 (gateway). Ambas as interfaces são conectadas como 'br0'.
Eu tenho um firewall na caixa 'foo', no entanto, ele foi desativado para testes.
Eu descobri que alterando a política de Drop para Forward no iptables no gateway, as conexões são permitidas novamente. Agora, minha pergunta é: como posso inserir uma regra que permita que as conexões da rede local ocorram ao mesmo tempo em que mantenha a política do Forward no Drop?
$ cat /etc/ssh/sshd_config ## ON BOX 'foo'
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# Subsystem sftp /usr/lib/openssh/sftp-server #out 2/20/16
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Allow limited users access to server
AllowUsers foouser XXXXXXXXXX # <--- Censored
# SFTP Subsystem
Subsystem sftp internal-sftp
Match group XXXXXXXXXX # <--- Censored
ChrootDirectory /srv/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
...
# iptables -nvL ## ON gateway
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
703 52346 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2022
7 757 LOGNDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
110 21617 ACCEPT all -- eth0 br0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
126 16289 ACCEPT all -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.100 tcp dpt:22 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
590 173K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain LOGNDROP (1 references)
pkts bytes target prot opt in out source destination
7 757 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "iptables: "
7 757 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Resolvi meu próprio problema, a pergunta que tive depois de "editar".
Adicionando esta regra à minha cadeia de Encaminhamento no iptables resolveu o problema
iptables -A FORWARD -i br0 -o br0 -j ACCEPT