Re: iptables - dynamic ip - port forward ssh to internal box

To: Jason McCarty <bclg@iup.edu>, debian-firewall@lists.debian.org
Subject: Re: iptables - dynamic ip - port forward ssh to internal box
From: Paul <gabaod@yahoo.com>
Date: Thu, 1 May 2003 09:37:47 -0700 (PDT)
Message-id: <[🔎] 20030501163747.66783.qmail@web13501.mail.yahoo.com>
In-reply-to: <[🔎] 20030501121046.GA3178@iup.edu>

--- Jason McCarty <bclg@iup.edu> wrote:
> Paul wrote:
> > Ok, im resetting up my home network, and hence the
> > reason for this letter :)
> > 
> > I have 2 linux boxes, and 2 windows boxes.  One
> linux
> > box will be the firewall/gateway, internet on eth0
> and
> > internal lan on eth1.  What im looking for is
> basic
> > suggestions on my script, and also needing to know
> how
> > i can lets say have all external connections that
> try
> > to connect to me on port 10022 be forwarded to
> > 192.168.1.8:22, so that i can be able to ssh into
> both
> > of my linux boxes, the firewall one, and an
> internal
> > one.  Ive had 0 luck with adding stuff into
> PREROUTING
> > to get it working, after looking at many scripts. 
> I
> > currently have rinetd running with it, which will
> > allow me to connect via 10022 within my internal
> > network and it does forward it correctly, but by
> doing
> > an external connection to port 10022, it cant
> connect
> > at all, and yes i did open port 10022 on my INPUT,
> the
> > script below doesnt include that since im in
> testing
> > phase, but id prefer to get it working w/o rinetd.
> 
> Well, to do this without rinetd, you probably want
> the following rules:
> 	$IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp
> --dport 10022 \
> 		-j DNAT --to $192.168.1.8:22
> 	$IPTABLES -A FORWARD -i $EXTDEV -o $INTDEV -d
> 192.168.1.8 \
> 		--dport 22 -j ACCEPT
> Note that this will only work when testing from a
> machine outside your
> firewall.
> 
> HTH,
> 
> Jason
> 


Well i figured out i did test it like that, and my
work blocks many outgoing ports, but i was able to get
it to forward port 23 to 192.168.1.8:22

Now my forward cmd i have is just

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT  and
it works fine, now any reason as to why you suggest to
make it

$IPTABLES -A FORWARD -i $EXTDEV -o $INTDEV -d
192.168.1.8 --dport 22 -j ACCEPT

is it for security reasons or some other thing?

Also how would i go by to make it so it would also
work from the internal network, because i do plan on
getting a web server running as well which would just
be  

iptables -t nat -A PREROUTING -p tcp -d $EXTIP --dport
80 -j DNAT --to 192.168.1.8:80
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT

But i would like it so i could view the website
internally as well, and not quite sure how to go about
that, because i know its just prerouting stuff from
the external network, not internal one

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Reply to:

Follow-Ups:
- Re: iptables - dynamic ip - port forward ssh to internal box
  - From: Jason McCarty <bclg@iup.edu>

References:
- Re: iptables - dynamic ip - port forward ssh to internal box
  - From: Jason McCarty <bclg@iup.edu>

Prev by Date: Re: iptables - dynamic ip - port forward ssh to internal box
Next by Date: Re: iptables - dynamic ip - port forward ssh to internal box
Previous by thread: Re: iptables - dynamic ip - port forward ssh to internal box
Next by thread: Re: iptables - dynamic ip - port forward ssh to internal box
Index(es):
- Date
- Thread