Re: Can't get DNAT to port forward SSH
>>>>> "JB" == Jim Breton <vader@conflict.net> writes:
>> $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
JB> Only looked at your rule set briefly but I think that is the
JB> line that is killing you. You will need a line to specifically
JB> forward tcp blabla.. (basically matching your DNAT rule) to your
JB> internal address.
JB>
you mean something of the form:
iptables -A FORWARD -i eth0 -p tcp -s <SomeIPAddress> --dport 22 -j DNAT
--to 192.168.1.2
I thought the earlier DNAT rule would take care of this ? All the docs I
have seen on DNAT (including the netfilter HOWTO) _seem_ to imply that
one DNAT rule is enough to do this kind of port-forwarding.
JB>
JB> P.S. Your configuration appears to be of the "default accept"
JB> nature, rather than "default drop." I would recommend a
JB> complete re-write to drop and log by default, and then write
JB> rules to allow just those things you need. :) But hopefully the
JB> above answers your actual question.
JB>
In my script, I first set the default policies on INPUT, OUTPUT and
FORWARD to ACCEPT. I later (ie towards the end of the script) set the
default policy on INPUT to DROP. If I change the default policy on
OUTPUT to DROP, will I will have to add a rule to specifically allow
outgoing packets from my 192.168.1.* local net ?
Also, what if I want to use a port number other than the standard port
22 for SSH ie:
port 1111 => port forward to InternalMachine1:22
port 2222 => port forward to InternalMachine2:22
etc.
Is there a convention to use/keep-in-mind when setting up sth like this
?
Thanks.
--
Salman Ahmed
ssahmed AT pathcom DOT com
Reply to: