I do have a server which is running on the public internet and actual I do only allow ssh incoming traffic from my public source IP.
( sudo ufw allow from {my_source_ip} to {my_server_ip} port 22 proto tcp comment ‘Allow SSH’ )
Now I’ve installed ziti tunneler on the linux host and like to change the firewall rule to allow also incoming traffic from the tunnel to the ssh port. How can I do this without allowing the whole internet?
Can I use the tunnel interface or the IP of the tunnel? Or is it still the real source ip?
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.64.0.1/32 scope global tun0
valid_lft forever preferred_lft forever
I tried to capture packets with tcpdump but somehow was not able to capture packets.
Hi @Metz, welcome to the community and to OpenZiti!
If you installed the tunneler on the linux host, I would expect you would be effectively using the equivalent of "ssh localhost" and I don't think that's denied by default. I'll have to google around to figure out if ufw is blocking even "localhost" connections. When I use ziti-edge-tunnel to ssh, I setup the offload of the service to 127.0.0.1 and not the public ip address. That way you don't need to modify the firewall. Does that make sense?
So instead of the real IP or the tun IP, I say use "127.0.0.1". Then on your local machine, you would do something like "ssh my.server.over.ziti" (the intercept side configuration) which would tunnel through ziti to the ziti-edge-tunnel on that linux server and offload from the tunneler towards 127.0.0.1:22.
Hopefully that makes sense and hopefully I understood your question correctly
