I'm trying to forward port 23 (telnet) on my firewall to 22 (ssh) on my workstation. Getting around some outbound traffic filtering issues. However, when I attempt to connect to this interface, I'm getting "connection refused". The boxen in question are firewall: OpenBSD running ipf (firewall) and ipnat (masquerade/NAT), and workstation: Debian, no filters or masq. I'm trying to figure out where the stoppage is occuring, it's a bit hard to work that out. I'd appreciate any suggestions in troubleshooting the problem. I *think* I've configured my forwarding and filtering rules to let this happen, but it seems it's not. I'm suspecting tcpwrappers on the GNU/Linux side, but can't work out whether or why that would be happening. No logs on either the firewall or the GNU/Linux box appear to be updating as the refusals appear (I'm trying to connect _from_ the workstation _to_ the external network IP of the firewall right now). OpenBSD ipf.rules Line 89 should open up telnet for forwarding. ------------------------------------------------------------------------ 1 ############################################################ 2 # Firewalling rules 3 ############################################################ 4 5 # Default policies 6 block in log all 7 pass out all 8 9 # Pass internal traffic 10 pass in quick on lo0 all 11 pass in on dc0 all 12 13 14 # Don't allow spoofing of internal addresses: 15 16 # ...unroutables 17 block in log quick on tun0 from 0.0.0.0/32 to any 18 block in log quick on tun0 from 255.255.255.255/32 to any 19 block in log quick on tun0 from 127.0.0.0/8 to any 20 21 block in log quick on tun0 from any to 0.0.0.0/32 22 block in log quick on tun0 from any to 255.255.255.255/32 23 block in log quick on tun0 from any to 127.0.0.0/8 24 25 # ...internal networks 26 block in log quick on tun0 from 10.0.0.0/8 to any 27 block in log quick on tun0 from 172.16.0.0/12 to any 28 block in log quick on tun0 from 192.168.0.0/16 to any 29 30 31 # drop itsy bitsy frags 32 block in log quick proto tcp all with short 33 34 35 # drop packets with options (especially if they're under water) 36 block in log quick all with opt lsrr 37 block in log quick all with opt ssrr 38 39 40 # allow certain classes of ICMP 41 pass in quick on tun0 proto icmp all icmp-type 0 42 pass in quick on tun0 proto icmp all icmp-type 3 43 # ...Jury's out on icmp-type 8. 44 # pass in quick on tun0 proto icmp all icmp-type 8 45 pass in quick on tun0 proto icmp all icmp-type 11 46 47 48 # DNS -- nameservers 49 pass in quick on tun0 proto tcp/udp from 206.214.98.33 port = 53 to any 50 pass in quick on tun0 proto tcp/udp from 206.214.98.34 port = 53 to any 51 52 53 54 # prevent outside machines from initiating TCP connections to machines 55 # within our network 56 block in log on tun0 proto tcp all flags S/SA 57 block out log on tun0 proto tcp all flags SA/SA 58 59 # allow inbound ssh and mail connections 60 pass in quick on tun0 proto tcp from any to any port = 22 flags S/SA keep state 61 pass in quick on tun0 proto tcp from any to any port = 25 flags S/SA keep state 62 63 pass in quick on dc0 proto tcp from any to any port = 22 flags S/SA keep state 64 pass in quick on dc0 proto tcp from any to any port = 25 flags S/SA keep state 65 66 67 # allow return packets from connection we initiated 68 pass out on tun0 proto tcp all keep state 69 pass out on dc0 proto tcp all keep state 70 71 # REJECT auth connections for fast SMTP handshake 72 block return-rst in quick on tun0 proto tcp from any to any port = 113 73 74 75 ######################################################################### 76 # Additional lock-down rules 77 78 # OK, ppp connection 79 block in on tun0 proto tcp from any to any port 0 >< 1024 80 81 # daytime, time, finger, sunrpc, and squid 82 pass in on tun0 proto tcp from any to any port = 22 # ssh 83 pass in on tun0 proto tcp from any to any port = 25 # SMPT 84 pass in on tun0 proto tcp from any to any port = 80 # http 85 pass in on tun0 proto tcp from any to any port = 443 # https 86 87 # ...and, whilst in Oz, 23, to forward to navel:22. 88 # KMSelf Wed Feb 7 01:38:06 PST 2001 89 pass in on tun0 proto tcp from any to any port = 23 # telnet 90 91 block in on tun0 proto tcp from any to any port = 3128 # squid 92 93 # If you want to run mail (SMTP) services, uncomment: 94 # pass in on ppp0 proto tcp from any to any port = 25 95 # block in quick on ppp0 proto tcp from any to any port = 113 96 97 # Block: X / VNC / NFS / SMB 98 block in quick on tun0 proto tcp from any to any port 5999 >< 6065 # X 99 block in quick on tun0 proto tcp from any to any port 5899 >< 5911 # VNC 100 block in quick on tun0 proto tcp from any to any port = 2049 # NFS 101 block in quick on tun0 proto tcp from any to any port 136 >< 140 # SMB ------------------------------------------------------------------------ OpenBSD ipnat.rules Line 11 should be forwarding telnet to ssh. ------------------------------------------------------------------------ 1 # $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $ 2 # 3 # See /usr/share/ipf/nat.1 for examples. 4 # edit the ipnat= line in /etc/rc.conf to enable Network Address Translation 5 6 # Forward incoming ssh and http to navel 7 rdr tun0 0/0 port 22 -> 192.168.0.32 port 22 8 rdr tun0 0/0 port 80 -> 192.168.0.32 port 80 9 10 # ...and, whilst in Oz, 23 to navel:22 11 rdr tun0 0/0 port 23 -> 192.168.0.32 port 22 12 13 # Gnapster 14 rdr tun0 0/0 port 6699 -> 192.168.0.32 port 6699 15 16 # Transparent web cache 17 map dc0 192.168.0.1/32 -> 0/32 # FW -> world 18 rdr dc0 0.0.0.0/0 port 80 -> 192.168.0.1 port 8080 # clients -> proxy 19 20 # Dynamic PPP mapping - "ipf -y" must be run with each new connection. 21 map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:65000 22 map tun0 192.168.0.0/24 -> 0/32 # ICMP, etc. 23 24 # uncomment for SMTP forwarding 25 # rdr tun0 <somehost>/32 port 25 -> 192.168.0.32/32 port 25 ------------------------------------------------------------------------ -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgpTADqnFCYcu.pgp
Description: PGP signature