Re: Can't get DNAT to port forward SSH

To: debian-firewall@lists.debian.org
Subject: Re: Can't get DNAT to port forward SSH
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Thu, 5 Jul 2001 12:15:36 -0700
Message-id: <[🔎] 20010705121536.A325@doorstop.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 15171.64471.700427.160324@gargle.gargle.HOWL>

> $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
^^^^^^^^^^^^^^^^^^^^
It's right here. This statement says that no amtter what rules you add
after this, any new connections will be dropped in the FORWARD chain.
This is sort of a "policy hack" -- you're using this type of rule
instead of a policy of DROP, as a sort of "catch-all" to keep your
FORWARD chain secure. That's fine, as long as you remember to first
allow what you want to allow before your catchall drops it. If you
want ports 1111 and 2222 to be allowed, make sure you do so BEFORE
this line.

I've added rules below that will work and be consistent with your
current design. I still suggest that you make the rules a little more
comprehensive by making all rules in your FORWARD chain include as
much information as is applicable, including:

source address, source port, incoming interface
dest. address, dest. port, outgoing interface
state (NEW,ESTABLISHED,RELATED,INVALID,etc.)

Also, I think it's confusing the way you have -P INPUT ACCEPT at the
top and later change that to -P INPUT DROP. It changes the whole
attitude of the ruleset; it only makes sense for design to decide at
the top which one you'll be using and stick with it.

I'm also not sure why you have rules for ssh X-Forwarding; ssh traffic
is ssh traffic, no matter if on the inside is tunneled shell traffic,
X11 traffic, or other port forwards. That's the point of the tunnel.

Vineet

* S. Salman Ahmed (ssahmed@pathcom.com) [010705 11:34]:
Content-Description: iptables firewall script
#!/bin/sh
#
# $Id: firewall.sh,v 1.3 2001/07/03 07:17:05 ssahmed Exp $
#

IPTABLES=/sbin/iptables

# Loopback interface device
LPDIF=lo

# Loopback Device IP Address
LPDIP=127.0.0.1

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

# Disable response to broadcasts: we don't to become a Smurf amplifier
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Don't accept source routed packets. Attackers can use source routing to generate 
# traffic pretending to be from inside your network, but which is routed back along 
# the path from which it came, namely outside, so attackers can compromise your 
# network. Source routing is rarely used for legitimate purposes. 
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing 
# tables, possibly to a bad end. 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 

# Enable bad error message protection. 
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 

# Log spoofed packets, source routed packets, redirect packets. 
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 22 -j DNAT --to 192.168.1.2

#VK: I added these 2 lines
$IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 1111 -j DNAT --to 192.168.1.2
$IPTABLES -t nat -A PREROUTING -i eth0 -s A.B.C.0/24 -p tcp -d MyIpAddress --dport 2222 -j DNAT --to 192.168.1.3

$IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -j ACCEPT

#VK: I added these 2 lines. It is critical that they are placed before
# the line that says NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 1111 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s A.B.C.0/24 -p tcp --dport 2222 -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -P INPUT DROP

# Allow all ICMP traffic
$IPTABLES -A INPUT -p icmp -j ACCEPT

# The following rule is needed to make SSH X-Forwarding work
$IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT

$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT

$IPTABLES -A INPUT -i eth0 -s A.B.C.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Kill malformed packets

# Block XMAS packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL ALL  -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL  -j DROP

# Block NULL packets
$IPTABLES -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --log-prefix "BLOCKED: "

echo "IPTables firewall started"

Content-Description: .signature

-- 
Salman Ahmed
ssahmed AT pathcom DOT com

Attachment: pgpjZEYiUHELR.pgp
Description: PGP signature

Reply to:

References:
- Re: Can't get DNAT to port forward SSH
  - From: S.Salman Ahmed <ssahmed@pathcom.com>

Prev by Date: Re: Can't get DNAT to port forward SSH
Next by Date: Re: Multiple DSL lines + iproute + squid ...
Previous by thread: Re: Can't get DNAT to port forward SSH
Next by thread: Re: Can't get DNAT to port forward SSH
Index(es):
- Date
- Thread