Hello everyone,
I configured a primary Orange IP and a secondary IP for the Orange network in IPFire.
When my client in the primary Orange IP range (X.X.X.X) tries to access one of the secondary IP addresses (Y.Y.Y.Y) via SSH, it encounters the following error:
11:36:41 DROP_CTINVALID orange0 TCP X.X.X.65 -> Y.Y.Y.185
source-port: 5642
destination-port: 22 (SSH)
What should I do?
I removed the following iptables rule:
sudo iptables -t filter -D CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
After removing the rule, I no longer see the error logs, but I still cannot establish an SSH connection.
Interestingly, I can successfully telnet Y.Y.Y.185 22 and ping Y.Y.Y.185, but the SSH connection still cannot be established.
Removing that rule only stops the logging of the CTINVALID connections. Whatever is causing the invalid connections will still be occurring.
This sounds like you are using two different subnets in your Orange Network.
As the Orange subnet will be a private address range there is no security or privacy issue by showing what the addresses are.
What IP and subnet do you have defined in IPFire for the Orange zone?
What do you mean by Primary and Secondary IP ranges?
If you are trying to run with two subnets in the Orange zone then IPFire will not be able to route anything successfully because as far as it is concerned the Orange zone only consists of one subnet.
I can imagine that could easily cause an invalid connection result.
2 Likes
Put back all the changes. you did to IPtables/conntrack.
Once you assign the orange interface a secondary ip, The only thing you have to do is assign default access rules.
Say that your secondary orange is the out of band management your IPMI interfaces have a static address to the secondary orange. For example this net is 192.168.10.0/24 subnet 255.255.255.0
So int the web gui: go to firewall groups.
click the button called network, Name it
add the secondary net (in format XXX.xxx.XXX/xx so this will be 192.168.10.0/24)
Subnet mask,
and identifying comments if you want.
Save.
Then go to firewall rules,
Add orange source , network destination, allow, all protocals, No NAT (unchecked)
add network source, orange destination, allow, all protocals, No NAT (unchecked)
EDit: you should add both rules as any server pushes from ipmi net to monitoring software on orange would be blocked otherwise.
I actually wanted to add the process to make secondary networks, but Micheal shot me down saying that it doesn’t make sense to add a lower quality net that doesn’t have an internet function from what I understand.
And even pitching this as a zone add didn’t work either for the same reason.
1 Like
Thank you so much dear @dr_techno and @bonnietwin
I understand the solution now. The problem I mentioned is not related to IPFire — it is actually related to the network settings of the Ubuntu VM.