SSH connection with NordVPN

trendy · 10 October 2023 11:40

You can setup proxy from the SSH to forward ports. Example here
Otherwise you can open more addresses and ports on the firewall.

barukh · 11 October 2023 08:05

It doesn’t work, it gets stuck while trying to connect.

trendy · 11 October 2023 08:11

iptables-save -c ?

barukh · 11 October 2023 11:44


 Generated by iptables-save v1.8.7 on Wed Oct 11 13:39:38 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [2:108]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[3051:158863] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 9091 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 8096 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 9091 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 8096 -j ACCEPT
[6:360] -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT
[270819:72868197] -A FORWARD -j DOCKER-USER
[270819:72868197] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[106010:23080734] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[690:37471] -A FORWARD -o docker0 -j DOCKER
[109457:42793400] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[22:2575] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[35:12995] -A FORWARD -o br-d9a46b4fb181 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-d9a46b4fb181 -j DOCKER
[45:2850] -A FORWARD -i br-d9a46b4fb181 ! -o br-d9a46b4fb181 -j ACCEPT
[0:0] -A FORWARD -i br-d9a46b4fb181 -o br-d9a46b4fb181 -j ACCEPT
[0:0] -A FORWARD -o br-64b8bd1bb8b5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-64b8bd1bb8b5 -j DOCKER
[0:0] -A FORWARD -i br-64b8bd1bb8b5 ! -o br-64b8bd1bb8b5 -j ACCEPT
[0:0] -A FORWARD -i br-64b8bd1bb8b5 -o br-64b8bd1bb8b5 -j ACCEPT
[401509:134684763] -A FORWARD -o br-53881ace3f35 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[329:17268] -A FORWARD -o br-53881ace3f35 -j DOCKER
[402610:61299114] -A FORWARD -i br-53881ace3f35 ! -o br-53881ace3f35 -j ACCEPT
[0:0] -A FORWARD -i br-53881ace3f35 -o br-53881ace3f35 -j ACCEPT
[0:0] -A FORWARD -o br-353dfaeb6856 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-353dfaeb6856 -j DOCKER
[0:0] -A FORWARD -i br-353dfaeb6856 ! -o br-353dfaeb6856 -j ACCEPT
[0:0] -A FORWARD -i br-353dfaeb6856 -o br-353dfaeb6856 -j ACCEPT
[6:312] -A DOCKER -d 172.20.0.2/32 ! -i br-53881ace3f35 -o br-53881ace3f35 -p tcp -m tcp --dport 5055 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 51413 -j ACCEPT
[0:0] -A DOCKER -d 172.19.0.2/32 ! -i br-d9a46b4fb181 -o br-d9a46b4fb181 -p tcp -m tcp --dport 6595 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51413 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9091 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8083 -j ACCEPT
[668:34896] -A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3129 -j ACCEPT
[109457:42793400] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[9:570] -A DOCKER-ISOLATION-STAGE-1 -i br-d9a46b4fb181 ! -o br-d9a46b4fb181 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-64b8bd1bb8b5 ! -o br-64b8bd1bb8b5 -j DOCKER-ISOLATION-STAGE-2
[28173:2666890] -A DOCKER-ISOLATION-STAGE-1 -i br-53881ace3f35 ! -o br-53881ace3f35 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-353dfaeb6856 ! -o br-353dfaeb6856 -j DOCKER-ISOLATION-STAGE-2
[270821:72868305] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-d9a46b4fb181 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-64b8bd1bb8b5 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-53881ace3f35 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-353dfaeb6856 -j DROP
[137639:45460860] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[10568837:7443229852] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed Oct 11 13:39:38 2023
# Generated by iptables-save v1.8.7 on Wed Oct 11 13:39:38 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[12858:777038] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[8108:662136] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[40498:3393458] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[15:900] -A POSTROUTING -s 172.19.0.0/16 ! -o br-d9a46b4fb181 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-64b8bd1bb8b5 -j MASQUERADE
[167350:10598122] -A POSTROUTING -s 172.20.0.0/16 ! -o br-53881ace3f35 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-353dfaeb6856 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 5055 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 51413 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 6595 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p udp -m udp --dport 51413 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 9091 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.5/32 -d 172.17.0.5/32 -p tcp -m tcp --dport 8083 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.6/32 -d 172.17.0.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3129 -j MASQUERADE
[4218:253050] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-d9a46b4fb181 -j RETURN
[0:0] -A DOCKER -i br-64b8bd1bb8b5 -j RETURN
[4167:250020] -A DOCKER -i br-53881ace3f35 -j RETURN
[0:0] -A DOCKER -i br-353dfaeb6856 -j RETURN
[6:312] -A DOCKER ! -i br-53881ace3f35 -p tcp -m tcp --dport 5055 -j DNAT --to-destination 172.20.0.2:5055
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 51414 -j DNAT --to-destination 172.17.0.3:51413
[0:0] -A DOCKER ! -i br-d9a46b4fb181 -p tcp -m tcp --dport 6595 -j DNAT --to-destination 172.19.0.2:6595
[0:0] -A DOCKER ! -i docker0 -p udp -m udp --dport 51414 -j DNAT --to-destination 172.17.0.3:51413
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 172.17.0.3:9091
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9002 -j DNAT --to-destination 172.17.0.4:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 172.17.0.5:8083
[668:34896] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.6:80
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3129 -j DNAT --to-destination 172.17.0.2:3129
COMMIT

trendy · 11 October 2023 11:48

It will not work if you have allowed 192.168.0.0/16 but you are trying from 10.0.0.0/8.
Also please use preformated text for console output. Enclose the text inside 3 backquotes.
```
text here
```
which shows like this

text here

barukh · 11 October 2023 11:57

barukh:

 Generated by iptables-save v1.8.7 on Wed Oct 11 13:39:38 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [2:108]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[3051:158863] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 9091 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 8096 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 9091 -j ACCEPT
[0:0] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 8096 -j ACCEPT
[6:360] -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT
[270819:72868197] -A FORWARD -j DOCKER-USER
[270819:72868197] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[106010:23080734] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[690:37471] -A FORWARD -o docker0 -j DOCKER
[109457:42793400] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[22:2575] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[35:12995] -A FORWARD -o br-d9a46b4fb181 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-d9a46b4fb181 -j DOCKER
[45:2850] -A FORWARD -i br-d9a46b4fb181 ! -o br-d9a46b4fb181 -j ACCEPT
[0:0] -A FORWARD -i br-d9a46b4fb181 -o br-d9a46b4fb181 -j ACCEPT
[0:0] -A FORWARD -o br-64b8bd1bb8b5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-64b8bd1bb8b5 -j DOCKER
[0:0] -A FORWARD -i br-64b8bd1bb8b5 ! -o br-64b8bd1bb8b5 -j ACCEPT
[0:0] -A FORWARD -i br-64b8bd1bb8b5 -o br-64b8bd1bb8b5 -j ACCEPT
[401509:134684763] -A FORWARD -o br-53881ace3f35 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[329:17268] -A FORWARD -o br-53881ace3f35 -j DOCKER
[402610:61299114] -A FORWARD -i br-53881ace3f35 ! -o br-53881ace3f35 -j ACCEPT
[0:0] -A FORWARD -i br-53881ace3f35 -o br-53881ace3f35 -j ACCEPT
[0:0] -A FORWARD -o br-353dfaeb6856 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-353dfaeb6856 -j DOCKER
[0:0] -A FORWARD -i br-353dfaeb6856 ! -o br-353dfaeb6856 -j ACCEPT
[0:0] -A FORWARD -i br-353dfaeb6856 -o br-353dfaeb6856 -j ACCEPT
[6:312] -A DOCKER -d 172.20.0.2/32 ! -i br-53881ace3f35 -o br-53881ace3f35 -p tcp -m tcp --dport 5055 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 51413 -j ACCEPT
[0:0] -A DOCKER -d 172.19.0.2/32 ! -i br-d9a46b4fb181 -o br-d9a46b4fb181 -p tcp -m tcp --dport 6595 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p udp -m udp --dport 51413 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9091 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8083 -j ACCEPT
[668:34896] -A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3129 -j ACCEPT
[109457:42793400] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[9:570] -A DOCKER-ISOLATION-STAGE-1 -i br-d9a46b4fb181 ! -o br-d9a46b4fb181 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-64b8bd1bb8b5 ! -o br-64b8bd1bb8b5 -j DOCKER-ISOLATION-STAGE-2
[28173:2666890] -A DOCKER-ISOLATION-STAGE-1 -i br-53881ace3f35 ! -o br-53881ace3f35 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-353dfaeb6856 ! -o br-353dfaeb6856 -j DOCKER-ISOLATION-STAGE-2
[270821:72868305] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-d9a46b4fb181 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-64b8bd1bb8b5 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-53881ace3f35 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-353dfaeb6856 -j DROP
[137639:45460860] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[10568837:7443229852] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed Oct 11 13:39:38 2023
# Generated by iptables-save v1.8.7 on Wed Oct 11 13:39:38 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
[12858:777038] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[8108:662136] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[40498:3393458] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[15:900] -A POSTROUTING -s 172.19.0.0/16 ! -o br-d9a46b4fb181 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.21.0.0/16 ! -o br-64b8bd1bb8b5 -j MASQUERADE
[167350:10598122] -A POSTROUTING -s 172.20.0.0/16 ! -o br-53881ace3f35 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-353dfaeb6856 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 5055 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 51413 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 6595 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p udp -m udp --dport 51413 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 9091 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.5/32 -d 172.17.0.5/32 -p tcp -m tcp --dport 8083 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.6/32 -d 172.17.0.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3129 -j MASQUERADE
[4218:253050] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-d9a46b4fb181 -j RETURN
[0:0] -A DOCKER -i br-64b8bd1bb8b5 -j RETURN
[4167:250020] -A DOCKER -i br-53881ace3f35 -j RETURN
[0:0] -A DOCKER -i br-353dfaeb6856 -j RETURN
[6:312] -A DOCKER ! -i br-53881ace3f35 -p tcp -m tcp --dport 5055 -j DNAT --to-destination 172.20.0.2:5055
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 51414 -j DNAT --to-destination 172.17.0.3:51413
[0:0] -A DOCKER ! -i br-d9a46b4fb181 -p tcp -m tcp --dport 6595 -j DNAT --to-destination 172.19.0.2:6595
[0:0] -A DOCKER ! -i docker0 -p udp -m udp --dport 51414 -j DNAT --to-destination 172.17.0.3:51413
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 172.17.0.3:9091
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9002 -j DNAT --to-destination 172.17.0.4:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8083 -j DNAT --to-destination 172.17.0.5:8083
[668:34896] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.6:80
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3129 -j DNAT --to-destination 172.17.0.2:3129
COMMIT

Sorry my bad. I’ve edited the format.

[6:360] -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT?

trendy · 11 October 2023 12:15

Format is okay now, but the problem remains that you are trying to connect from 10.0.0.0/8 and you don’t allow it for ports 8096, and 9001

barukh · 11 October 2023 14:24

Thank you for your patience. Now I see what you meant.

I’ll add the following to the up script and try again:

iptables -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 8096 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 9091 -j ACCEPT