Re: Can't get DNAT to port forward SSH
>>>>> "JB" == Jim Breton <vader@conflict.net> writes:
JB> I recommend you post a complete copy of your rule set as it is
JB> now. Debugging this without seeing them all is proving
JB> difficult. Also make sure you have some LOG entries in there to
JB> catch packets that are not being matched by your other rules.
JB>
I finally got it working! I am not sure what did it, but I did get
another copy of my firewall script from CVS that didn't have any DNAT
rules.
(1) So I was able to SSH from another linux machine not on my internal
net (using the standard port 22) and my SSH connection was
forwarded/redirected to a machine on my internal net (192.168.1.2) as
expected.
(2) I then tried to change things so that SSHing to port 1111 on my
firewall would forward the connection to 192.168.1.2:22. But I couldn't
get this to work.
I am attaching the firewall script that works for scenario (1) above. I
would like to modify it so that SSHing to
port 1111 forwards the connection to 192.168.1.2
port 2222 forwards the connection to 192.168.1.3
I'd appreciate any other corrections/critiques to this firewall script.
Thanks Jim.
#!/bin/sh
#
# $Id: firewall.sh,v 1.3 2001/07/03 07:17:05 ssahmed Exp $
#
IPTABLES=/sbin/iptables
# Loopback interface device
LPDIF=lo
# Loopback Device IP Address
LPDIP=127.0.0.1
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
# Disable response to broadcasts: we don't to become a Smurf amplifier
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Log spoofed packets, source routed packets, redirect packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 22 -j DNAT --to 192.168.1.2
$IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -P INPUT DROP
# Allow all ICMP traffic
$IPTABLES -A INPUT -p icmp -j ACCEPT
# The following rule is needed to make SSH X-Forwarding work
$IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT
$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Kill malformed packets
# Block XMAS packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --log-prefix "BLOCKED: "
echo "IPTables firewall started"
--
Salman Ahmed
ssahmed AT pathcom DOT com
Reply to: