Re: Can't get DNAT to port forward SSH

To: debian-firewall@lists.debian.org
Subject: Re: Can't get DNAT to port forward SSH
From: Jim Breton <vader@conflict.net>
Date: Tue, 3 Jul 2001 06:34:33 +0000
Message-id: <[🔎] 20010703063433544425.603@conflict.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 15169.30378.353464.617467@gargle.gargle.HOWL>; from ssahmed@pathcom.com on Tue, Jul 03, 2001 at 02:39:22AM -0500
References: <[🔎] 15169.30378.353464.617467@gargle.gargle.HOWL>

On Tue, Jul 03, 2001 at 02:39:22AM -0500, S . Salman Ahmed wrote:
> $IPTABLES  -t nat -A PREROUTING\
> 	   -i eth0 -s <SomeIPAddress>\
> 	   -p tcp -d <CableISPassignedIPaddress>\
> 	   --dport 22 -j DNAT --to 192.168.1.2

That looks fine.

> $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

Only looked at your rule set briefly but I think that is the line that
is killing you.  You will need a line to specifically forward tcp
blabla.. (basically matching your DNAT rule) to your internal address.

P.S. Your configuration appears to be of the "default accept" nature,
rather than "default drop."  I would recommend a complete re-write to
drop and log by default, and then write rules to allow just those things
you need. :)  But hopefully the above answers your actual question.

-- 

Jim B.
vader@conflict.net

Reply to:

Follow-Ups:
- Re: Can't get DNAT to port forward SSH
  - From: S.Salman Ahmed <ssahmed@pathcom.com>

References:
- Can't get DNAT to port forward SSH
  - From: S.Salman Ahmed <ssahmed@pathcom.com>

Prev by Date: Can't get DNAT to port forward SSH
Next by Date: Re: Can't get DNAT to port forward SSH
Previous by thread: Can't get DNAT to port forward SSH
Next by thread: Re: Can't get DNAT to port forward SSH
Index(es):
- Date
- Thread