EXECUTIVE SUMMARY
My Ubuntu VM (hostname fubar) is making the ip address (eth0 169.254.32.15) of one interface visible to hosts reachable by another interface (eth1 10.3.17.129/23).
I want "ssh [email protected]" from machines on the 10.3.16.0/23 to not connect to fubar.
DETAILS
the interfaces on my Ubuntu VM:
root@fubar:~# ifconfig
eth0 Link encap:Ethernet HWaddr 4e:12:0f:0b:48:91
inet addr:169.254.32.15 Bcast:169.254.63.255 Mask:255.255.224.0
inet6 addr: fe80::4c12:fff:fe0b:4891/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
eth1 Link encap:Ethernet HWaddr 92:fe:57:11:bd:6c
inet addr:10.3.17.129 Bcast:10.3.17.255 Mask:255.255.254.0
inet6 addr: fe80::90fe:57ff:fe11:bd6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2471362 errors:0 dropped:0 overruns:0 frame:0
TX packets:71144 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:337482223 (337.4 MB) TX bytes:5136143 (5.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1184 (1.1 KB) TX bytes:1184 (1.1 KB)
root@fubar:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.3.16.1 0.0.0.0 UG 0 0 0 eth1
10.3.16.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
169.254.32.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
root@fubar:~# uname -a
Linux fubar 3.19.0-80-generic #88~14.04.1-Ubuntu SMP Fri Jan 13 14:54:07 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@fubar:~# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5617 0.0.0.0:* LISTEN
tcp 0 0 169.254.32.15:5617 10.3.17.28:50841 ESTABLISHED
tcp 0 0 10.3.17.129:5617 10.3.16.65:38753 ESTABLISHED
tcp6 0 0 :::5617 :::* LISTEN
udp 0 0 0.0.0.0:9797 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 :::1269 :::*
eth1 is intended to be externally facing. Eth0 is connected to another VM (and nothing else) via a virtual bridge.
The undesired behavior is that when I ssh from another VM (10.3.17.28) to 169.254.32.15 it successfully connects to fubar (see netstat output above). How can I stop this from happening?
Interface stats show the packets for this SSH are actually going over eth1. Obviously fubar is making 169.254.32.15 visible to the 10.3.16/23 network but I don't know why.
Why is this happening? How can I stop it from happening?
EDIT1: iptables data collected as requested
root@fubar:~# iptables -v -x -n -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@fubar:~# iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@fubar:~#
It appears from your question that sshd is listening on all interfaces on port TCP/5617. So I would recommend editing your /etc/ssh/sshd_config. SSHD can be configured to listen on specific IP addresses, which if they are static you can hard code into your /etc/ssh/sshd_config file. If there's a line that reads
change it to the below. If it doesn't exist just add the below:
If you're using ipv6, you might want to also change
to
However, if this server is configured for DHCP and you prefer it that way, then I would probably resort to iptables as Doug recommended. There are a couple ways to accomplish that depending on what you actually want to block.
If you want to block ssh coming from the 10.3.16.0/23 network into the eth0 interface (change REJECT to DROP if you're worried about esoteric attacks/scans, otherwise REJECT fails faster):
If you want to block all traffic from this network coming into this interface:
Once you add the rule of your choosing, test to make sure it's having the desired effect, if it is, make it permanent with:
That command may vary depending on what version of Ubuntu you're running.
I still don't know why this would be happening without deeper troubleshooting, I would suggest checking the output of
And making sure it's zero, unless you intend for this VM to be routing between these networks. To fix that, add the following line to the bottom of /etc/sysctl.d/99-sysctl.conf