Allow ssh access via vpn

General
#1

I’m trying to access my phone remotely from ssh (jollac2, but that’s not relevant afaik).

I have successfully set-up a wireguard vpn.

However, ssh access is blocked by firewall. I tried to add firewall rules in the /etc/connman/firewall.d/ directory:

[root@JollaC2 defaultuser]# cat /etc/connman/firewall.d/01-devmode-firewall-vpn.
conf 
[vpn]

IPv4.INPUT.RULES = -p tcp -m tcp --dport 22 -j ACCEPT
IPv6.INPUT.RULES = -p tcp -m tcp --dport 22 -j ACCEPT

And then restarted connmanctl, but this does not work. I tried to replace [vpn] by [General], but that did not change anything.

I checked that:

  • Chain INPUT is filtering the packets (for example, Chain INPUT (policy DROP 528 packets, 44485 bytes), drop count is incrementing as client is sending packet
  • it works if i fully disable input filtering. (iptables -t filter -P INPUT ACCEPT ). So it is a local firewall issue.

For information:

[root@JollaC2 defaultuser]# iptables -L -v -n
Chain INPUT (policy DROP 528 packets, 44485 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3998 1359K connman-INPUT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 967K packets, 715M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3799K packets, 574M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3204 1640K connman-OUTPUT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain connman-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  259 23648 ACCEPT     6    --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
 1281 83472 ACCEPT     0    --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    9  2952 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
   61  5506 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8 code 0
    0     0 ACCEPT     33   --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:65535
    0     0 ACCEPT     132  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:65535
  498  227K ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:65535
    0     0 ACCEPT     136  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:65535
 1337  970K ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:65535
    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     50   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     51   --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  1602 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain connman-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1467 1221K ACCEPT     0    --  *      usb0    0.0.0.0/0            0.0.0.0/0           
  471  243K ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 0 code 0

I was hoping that after my changes, i would see an ACCEPT 6 -- wg0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 line in that output, but that does not seem to happen.

Thus, the question is what am i doing wrong, or does connman needs some fix for this to work? (since the wg0 exists only when vpn is up, it may need special handling)

#2

concerning

Will this be saved?
I have rules active which seem to got saved at some point (same rule, multiple times). Was not able to figure that out.
Where are the docs that describe how that works?
Is Sailfish connman different from upstream with regard to this?

#3

No, there’s no persistence with a single iptables command, it won’t survive reboot. For persistence, it’s documented there: Firewall | Sailfish OS Documentation .

2 Likes
#4

Thanks for the link. If I rember right, I was there before, but it was smaller.
Hoever, I couldn’t identify an explanation for what I’m seeing (“duplicated” active rules).
Guess I will have to have another session looking at it… :wink: