Re: Can't get DNAT to port forward SSH
I haven't been paying close attention, but you're sure you have ssh
running on the internal hosts and that you can access that port from the
firewall?
> >>>>> "VK" == Vineet Kumar <debian-security@virtual.doorstop.net> writes:
> VK> add this to the 2 rules above and you should be set:
> VK>
> VK> iptables -A FORWARD -o eth0 -s 192.168.1.2 -d SomeIpAddress \ -p
> VK> tcp --sport 22 -j ACCEPT
> VK>
> VK> I generally like to be as explicit as possible and include both
> VK> interfaces and both addresses in my FORWARD chain, i.e.
> VK>
> VK> iptables -A FORWARD -i $EXT_IF -o $INT_IF -s $REMOTE_HOST -d
> VK> $DMZ_HOST \ -p tcp --dport 22 -j ACCEPT
> VK>
> VK> iptables -A FORWARD -i $INT_IF -o $EXT_IF -s $DMZ_HOST -d
> VK> $REMOTE_HOST \ -p tcp --sport 22 -j ACCEPT
> VK>
> VK> or, better, in place of that second rule:
> VK>
> VK> iptables -m state -A FORWARD -i $INT_IF -o $EXT_IF \ -s
> VK> $DMZ_HOST -d $REMOTE_HOST \ -p tcp --sport 22 --state
> VK> ESTABLISHED,RELATED -j ACCEPT
> VK>
>
> Ok, I tried all of the above. But I still can't get this Port forwarding
> to work.
>
> VK>
> VK> It would work if you change default policy to accept, but that's
> VK> not a good solution.
> VK>
>
> Tried that too!! No change. Arghhhh!
>
> I am beginning to wonder if the kernel version I am using (2.4.3) might
> be causing these problems. Or maybe the fact that I have module support
> disabled in the kernel and all the netfilter options are compiled in ? I
> am just clutching at straws now ...
>
> --
> Salman Ahmed
> ssahmed AT pathcom DOT com
--
Aaron Ghent.
You're not going crazy!
You're going sane...
In a crazy world!
-- The Tick
Reply to: