Re: Can't get DNAT to port forward SSH
On Tue, Jul 03, 2001 at 03:04:01AM -0500, S . Salman Ahmed wrote:
> you mean something of the form:
>
> iptables -A FORWARD -i eth0 -p tcp -s <SomeIPAddress> --dport 22 -j DNAT
> --to 192.168.1.2
Almost:
iptables -A FORWARD -i eth0 -p tcp -s <SomeIPAddress> --dport 22 -j
ACCEPT
> I thought the earlier DNAT rule would take care of this ?
Nope, you still have to explicitly allow the packets to be forwarded.
> All the docs I
> have seen on DNAT (including the netfilter HOWTO) _seem_ to imply that
> one DNAT rule is enough to do this kind of port-forwarding.
I just looked at the HOW-TO and indeed, it is not very clear that this
needs to be done. The examples cited should probably be more thorough;
however I think they are working on this, I seem to remember a call for
example scripts and documentation help.
> In my script, I first set the default policies on INPUT, OUTPUT and
> FORWARD to ACCEPT. I later (ie towards the end of the script) set the
> default policy on INPUT to DROP.
Why go in circles? :)
> If I change the default policy on
> OUTPUT to DROP, will I will have to add a rule to specifically allow
> outgoing packets from my 192.168.1.* local net ?
No, those packets will never touch the OUTPUT chain, only the FORWARD
chain. So you will have to allow them to be forwarded.
> Also, what if I want to use a port number other than the standard port
> 22 for SSH ie:
>
> port 1111 => port forward to InternalMachine1:22
> port 2222 => port forward to InternalMachine2:22
Do it exactly as you handle the port 22 setup.
> Is there a convention to use/keep-in-mind when setting up sth like this
> ?
Hmm, after you do it a couple times you will get used to it. I suggest
putting some LOG rules toward the end of your rule sets to log anything
that escapes your other rules; then you can watch the logs and see what
is happening if things don't go as you expected.
--
Jim B.
vader@conflict.net
Reply to: