Re: iptables - dynamic ip - port forward ssh to internal box

To: funky soul <funkysoul@swissonline.ch>, debian-firewall@lists.debian.org
Subject: Re: iptables - dynamic ip - port forward ssh to internal box
From: Paul <gabaod@yahoo.com>
Date: Thu, 1 May 2003 07:26:07 -0700 (PDT)
Message-id: <[🔎] 20030501142607.47609.qmail@web13507.mail.yahoo.com>
In-reply-to: <[🔎] 20030501135348.3ad66fee.funkysoul@swissonline.ch>

Well what i was doing is completely doing ACCEPT as
default rules just for testing purposes.

and i found out that THIS did work

iptables -t nat -A PREROUTING -d EXTIP -p tcp --dport
22 -j DNAT --to 192.168.1.8:22

but then for some reason any other port for the
--dport wasnt working.  Then for shits n giggles, i
tried it as port 80.

And guess what it worked, so then i concluded, that
where i was testing it from, my work, blocks most
outgoing ports :)   Took me about 6+ hours into my
work day before i figured that out :(

thanks
-paul


--- funky soul <funkysoul@swissonline.ch> wrote:
> hi Paul,
> 
> On Wed, 30 Apr 2003 09:52:18 -0700 (PDT)
> Paul <gabaod@yahoo.com> wrote:
> 
> > I have 2 linux boxes, and 2 windows boxes.  One
> linux
> > box will be the firewall/gateway, internet on eth0
> and
> > internal lan on eth1.  What im looking for is
> basic
> > suggestions on my script, and also needing to know
> how
> > i can lets say have all external connections that
> try
> > to connect to me on port 10022 be forwarded to
> > 192.168.1.8:22, so that i can be able to ssh into
> both
> > of my linux boxes, the firewall one, and an
> internal
> > one.  Ive had 0 luck with adding stuff into
> PREROUTING
> > to get it working, after looking at many scripts. 
> I
> 
> the linux ip masq howto sure did answer my questions
> about this
>
http://www.e-infomax.com/ipmasq/howto/c-html/index.html
> 
> i *think* you'll have to use different ports (at the
> firewall
> at least) for ssh logins into different hosts.
> 
> > currently have rinetd running with it, which will
> > allow me to connect via 10022 within my internal
> > network and it does forward it correctly, but by
> doing
> > an external connection to port 10022, it cant
> connect
> > at all, and yes i did open port 10022 on my INPUT,
> the
> > script below doesnt include that since im in
> testing
> > phase, but id prefer to get it working w/o rinetd.
> 
> INPUT is applied when a packet arrives in to the
> firewalling host.
> what you want is 'FORWARD' to forward packets
> comming in on one port
> (let's say port 10022) and pass it to another port
> (e.g. port 22 on
> which sshd listens per default) on another host.
> 
> i use something like
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp
> --dport 22 -m state --state \
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat-p tcp -d$EXTIP
> --dport 22 -j DNAT \
> --to$PORTFWIP:22
> 
> lemme know if this helps or especially if i'm wrong 
> 
> f. soul
> 
> -- 
>   ,           , 
>  /             \ 	GNU's not Unix
> ((__-^^-,-^^-__)) 
>  `-_---' `---_-' 	  Funky Soul
>   `--|o` 'o|--' 
>      \  `  / 		  funkysoul@
>       ): :( 		swissonline.ch
>       :o_o: 
>        "-" 
> 

> ATTACHMENT part 2 application/pgp-signature 



__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Reply to:

References:
- Re: iptables - dynamic ip - port forward ssh to internal box
  - From: funky soul <funkysoul@swissonline.ch>

Prev by Date: Re: iptables - dynamic ip - port forward ssh to internal box
Next by Date: Re: iptables - dynamic ip - port forward ssh to internal box
Previous by thread: Re: iptables - dynamic ip - port forward ssh to internal box
Next by thread: Re: iptables - dynamic ip - port forward ssh to internal box
Index(es):
- Date
- Thread