[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables - dynamic ip - port forward ssh to internal box



hi Paul,

On Wed, 30 Apr 2003 09:52:18 -0700 (PDT)
Paul <gabaod@yahoo.com> wrote:

> I have 2 linux boxes, and 2 windows boxes.  One linux
> box will be the firewall/gateway, internet on eth0 and
> internal lan on eth1.  What im looking for is basic
> suggestions on my script, and also needing to know how
> i can lets say have all external connections that try
> to connect to me on port 10022 be forwarded to
> 192.168.1.8:22, so that i can be able to ssh into both
> of my linux boxes, the firewall one, and an internal
> one.  Ive had 0 luck with adding stuff into PREROUTING
> to get it working, after looking at many scripts.  I

the linux ip masq howto sure did answer my questions about this
http://www.e-infomax.com/ipmasq/howto/c-html/index.html

i *think* you'll have to use different ports (at the firewall
at least) for ssh logins into different hosts.

> currently have rinetd running with it, which will
> allow me to connect via 10022 within my internal
> network and it does forward it correctly, but by doing
> an external connection to port 10022, it cant connect
> at all, and yes i did open port 10022 on my INPUT, the
> script below doesnt include that since im in testing
> phase, but id prefer to get it working w/o rinetd.

INPUT is applied when a packet arrives in to the firewalling host.
what you want is 'FORWARD' to forward packets comming in on one port
(let's say port 10022) and pass it to another port (e.g. port 22 on
which sshd listens per default) on another host.

i use something like
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 22 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat-p tcp -d$EXTIP --dport 22 -j DNAT \
--to$PORTFWIP:22

lemme know if this helps or especially if i'm wrong 

f. soul

-- 
  ,           , 
 /             \ 	GNU's not Unix
((__-^^-,-^^-__)) 
 `-_---' `---_-' 	  Funky Soul
  `--|o` 'o|--' 
     \  `  / 		  funkysoul@
      ): :( 		swissonline.ch
      :o_o: 
       "-" 

Attachment: pgph5OJFBB0Q7.pgp
Description: PGP signature


Reply to: