[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can't get DNAT to port forward SSH

>>>>> "JB" == Jim Breton <vader@conflict.net> writes:
    JB>  I recommend you post a complete copy of your rule set as it is
    JB> now.  Debugging this without seeing them all is proving
    JB> difficult.  Also make sure you have some LOG entries in there to
    JB> catch packets that are not being matched by your other rules.
    JB> 

I finally got it working! I am not sure what did it, but I did get
another copy of my firewall script from CVS that didn't have any DNAT
rules.

(1) So I was able to SSH from another linux machine not on my internal
net (using the standard port 22) and my SSH connection was
forwarded/redirected to a machine on my internal net (192.168.1.2) as
expected.

(2) I then tried to change things so that SSHing to port 1111 on my
firewall would forward the connection to 192.168.1.2:22. But I couldn't
get this to work.

I am attaching the firewall script that works for scenario (1) above. I
would like to modify it so that SSHing to

   port 1111 forwards the connection to 192.168.1.2
   port 2222 forwards the connection to 192.168.1.3

I'd appreciate any other corrections/critiques to this firewall script.

Thanks Jim.


#!/bin/sh
#
# $Id: firewall.sh,v 1.3 2001/07/03 07:17:05 ssahmed Exp $
#

IPTABLES=/sbin/iptables

# Loopback interface device
LPDIF=lo

# Loopback Device IP Address
LPDIP=127.0.0.1

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

# Disable response to broadcasts: we don't to become a Smurf amplifier
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Don't accept source routed packets. Attackers can use source routing to generate 
# traffic pretending to be from inside your network, but which is routed back along 
# the path from which it came, namely outside, so attackers can compromise your 
# network. Source routing is rarely used for legitimate purposes. 
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing 
# tables, possibly to a bad end. 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 

# Enable bad error message protection. 
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 

# Log spoofed packets, source routed packets, redirect packets. 
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 22 -j DNAT --to 192.168.1.2

$IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -P INPUT DROP

# Allow all ICMP traffic
$IPTABLES -A INPUT -p icmp -j ACCEPT

# The following rule is needed to make SSH X-Forwarding work
$IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT

$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT

$IPTABLES -A INPUT -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Kill malformed packets

# Block XMAS packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL ALL  -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL  -j DROP

# Block NULL packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --log-prefix "BLOCKED: "

echo "IPTables firewall started"

-- 
Salman Ahmed
ssahmed AT pathcom DOT com
Reply to: