Can't get DNAT to port forward SSH

To: debian-firewall@lists.debian.org
Subject: Can't get DNAT to port forward SSH
From: S.Salman Ahmed <ssahmed@pathcom.com>
Date: Tue, 3 Jul 2001 02:39:22 -0500
Message-id: <[🔎] 15169.30378.353464.617467@gargle.gargle.HOWL>
Reply-to: ssahmed@pathcom.com

I am trying to forward SSH connections coming to my firewall (from a
specific set of IP addresses) to a machine on my private internal net
which has a private Class C address. After some reading, I realized that
I had to setup a DNAT rule to do this.

So I added the following rule to firewall script:

$IPTABLES  -t nat -A PREROUTING\
	   -i eth0 -s <SomeIPAddress>\
	   -p tcp -d <CableISPassignedIPaddress>\
	   --dport 22 -j DNAT --to 192.168.1.2

I then tried to SSH from SomeIPAddress to my firewall system, and
nothing happened. SSH kept waiting and waiting and eventually timed out
and kept trying again and again.

On the firewall side, I didn't see any messages from iptables about
blocked packets, etc.

I also tried modifying the above rule to use the -m state extension:

 -m state --state NEW,ESTABLISHED,RELATED

since I set the default policy on INPUT chain to DROP. But using the "-m
state" extension didn't help at all.

Can anyone point out what I am doing wrong ? I have sshd running without
any problems on all my internal machines and tcp_wrappers are configured
to allow SSH access from SomeIPAddress.

I am using kernel-2.4.3 with IPtables support compiled into the
kernel. Could this be the problem ? My kernel is built without module
support and hence I have compiled in the following IP tables options:

#
#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y

My firewall.sh script is attached to this email. I'd appreciate any info
on why DNAT isn't working and/or what I misconfigured. Having to SSH
twice (once through the firewall, then to the internal machine I want)
is really slowing things down for me right now.

Thanks.

#!/bin/sh
#
# $Id: firewall.sh,v 1.3 2001/07/03 07:17:05 ssahmed Exp $
#

IPTABLES=/sbin/iptables

# Loopback interface device
LPDIF=lo

# Loopback Device IP Address
LPDIP=127.0.0.1

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Disable response to broadcasts: we don't to become a Smurf amplifier
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing 
# tables, possibly to a bad end. 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 

# Enable bad error message protection. 
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 

# Log spoofed packets, source routed packets, redirect packets. 
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -P INPUT DROP

$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --log-prefix "BLOCKED: "

# Allow all ICMP traffic
$IPTABLES -A INPUT -p icmp -j ACCEPT

# The following rule is needed to make SSH X-Forwarding work ?
$IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT

$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT

$IPTABLES -A INPUT -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# The following rule doesn't seem to work at all!!
#$IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d <CableIspIPAddr> --dport 22 -j DNAT --to 192.168.1.2

# Kill malformed packets

# Block XMAS packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL ALL  -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL  -j DROP

# Block NULL packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

echo "IPTables firewall started"

-- 
Salman Ahmed
ssahmed AT pathcom DOT com

Reply to:

Follow-Ups:
- Re: Can't get DNAT to port forward SSH
  - From: Jim Breton <vader@conflict.net>

Prev by Date: iptables does not run from script
Next by Date: Re: Can't get DNAT to port forward SSH
Previous by thread: Re: iptables does not run from script
Next by thread: Re: Can't get DNAT to port forward SSH
Index(es):
- Date
- Thread