Re: Can't get DNAT to port forward SSH

[S.Salman Ahmed <ssahmed@pathcom.com>]

>>>>> "VK" == Vineet Kumar <debian-security@virtual.doorstop.net> writes:
    VK>  add this to the 2 rules above and you should be set:
    VK> 
    VK> iptables -A FORWARD -o eth0 -s 192.168.1.2 -d SomeIpAddress \ -p
    VK> tcp --sport 22 -j ACCEPT
    VK> 
    VK> I generally like to be as explicit as possible and include both
    VK> interfaces and both addresses in my FORWARD chain, i.e.
    VK> 
    VK> iptables -A FORWARD -i $EXT_IF -o $INT_IF -s $REMOTE_HOST -d
    VK> $DMZ_HOST \ -p tcp --dport 22 -j ACCEPT
    VK> 
    VK> iptables -A FORWARD -i $INT_IF -o $EXT_IF -s $DMZ_HOST -d
    VK> $REMOTE_HOST \ -p tcp --sport 22 -j ACCEPT
    VK> 
    VK> or, better, in place of that second rule:
    VK> 
    VK> iptables -m state -A FORWARD -i $INT_IF -o $EXT_IF \ -s
    VK> $DMZ_HOST -d $REMOTE_HOST \ -p tcp --sport 22 --state
    VK> ESTABLISHED,RELATED -j ACCEPT
    VK> 

Ok, I tried all of the above. But I still can't get this Port forwarding
to work.

    VK> 
    VK> It would work if you change default policy to accept, but that's
    VK> not a good solution.
    VK> 

Tried that too!! No change. Arghhhh!

I am beginning to wonder if the kernel version I am using (2.4.3) might
be causing these problems. Or maybe the fact that I have module support
disabled in the kernel and all the netfilter options are compiled in ? I
am just clutching at straws now ...

-- 
Salman Ahmed
ssahmed AT pathcom DOT com