I'm trying to forward port 23 (telnet) on my firewall to 22 (ssh) on my
workstation. Getting around some outbound traffic filtering issues.
However, when I attempt to connect to this interface, I'm getting
"connection refused".
The boxen in question are firewall: OpenBSD running ipf (firewall) and ipnat
(masquerade/NAT), and workstation: Debian, no filters or masq.
I'm trying to figure out where the stoppage is occuring, it's a bit hard
to work that out. I'd appreciate any suggestions in troubleshooting the
problem. I *think* I've configured my forwarding and filtering rules to
let this happen, but it seems it's not. I'm suspecting tcpwrappers on
the GNU/Linux side, but can't work out whether or why that would be
happening. No logs on either the firewall or the GNU/Linux box appear
to be updating as the refusals appear (I'm trying to connect _from_ the
workstation _to_ the external network IP of the firewall right now).
OpenBSD ipf.rules
Line 89 should open up telnet for forwarding.
------------------------------------------------------------------------
1 ############################################################
2 # Firewalling rules
3 ############################################################
4
5 # Default policies
6 block in log all
7 pass out all
8
9 # Pass internal traffic
10 pass in quick on lo0 all
11 pass in on dc0 all
12
13
14 # Don't allow spoofing of internal addresses:
15
16 # ...unroutables
17 block in log quick on tun0 from 0.0.0.0/32 to any
18 block in log quick on tun0 from 255.255.255.255/32 to any
19 block in log quick on tun0 from 127.0.0.0/8 to any
20
21 block in log quick on tun0 from any to 0.0.0.0/32
22 block in log quick on tun0 from any to 255.255.255.255/32
23 block in log quick on tun0 from any to 127.0.0.0/8
24
25 # ...internal networks
26 block in log quick on tun0 from 10.0.0.0/8 to any
27 block in log quick on tun0 from 172.16.0.0/12 to any
28 block in log quick on tun0 from 192.168.0.0/16 to any
29
30
31 # drop itsy bitsy frags
32 block in log quick proto tcp all with short
33
34
35 # drop packets with options (especially if they're under water)
36 block in log quick all with opt lsrr
37 block in log quick all with opt ssrr
38
39
40 # allow certain classes of ICMP
41 pass in quick on tun0 proto icmp all icmp-type 0
42 pass in quick on tun0 proto icmp all icmp-type 3
43 # ...Jury's out on icmp-type 8.
44 # pass in quick on tun0 proto icmp all icmp-type 8
45 pass in quick on tun0 proto icmp all icmp-type 11
46
47
48 # DNS -- nameservers
49 pass in quick on tun0 proto tcp/udp from 206.214.98.33 port = 53 to any
50 pass in quick on tun0 proto tcp/udp from 206.214.98.34 port = 53 to any
51
52
53
54 # prevent outside machines from initiating TCP connections to machines
55 # within our network
56 block in log on tun0 proto tcp all flags S/SA
57 block out log on tun0 proto tcp all flags SA/SA
58
59 # allow inbound ssh and mail connections
60 pass in quick on tun0 proto tcp from any to any port = 22 flags S/SA keep state
61 pass in quick on tun0 proto tcp from any to any port = 25 flags S/SA keep state
62
63 pass in quick on dc0 proto tcp from any to any port = 22 flags S/SA keep state
64 pass in quick on dc0 proto tcp from any to any port = 25 flags S/SA keep state
65
66
67 # allow return packets from connection we initiated
68 pass out on tun0 proto tcp all keep state
69 pass out on dc0 proto tcp all keep state
70
71 # REJECT auth connections for fast SMTP handshake
72 block return-rst in quick on tun0 proto tcp from any to any port = 113
73
74
75 #########################################################################
76 # Additional lock-down rules
77
78 # OK, ppp connection
79 block in on tun0 proto tcp from any to any port 0 >< 1024
80
81 # daytime, time, finger, sunrpc, and squid
82 pass in on tun0 proto tcp from any to any port = 22 # ssh
83 pass in on tun0 proto tcp from any to any port = 25 # SMPT
84 pass in on tun0 proto tcp from any to any port = 80 # http
85 pass in on tun0 proto tcp from any to any port = 443 # https
86
87 # ...and, whilst in Oz, 23, to forward to navel:22.
88 # KMSelf Wed Feb 7 01:38:06 PST 2001
89 pass in on tun0 proto tcp from any to any port = 23 # telnet
90
91 block in on tun0 proto tcp from any to any port = 3128 # squid
92
93 # If you want to run mail (SMTP) services, uncomment:
94 # pass in on ppp0 proto tcp from any to any port = 25
95 # block in quick on ppp0 proto tcp from any to any port = 113
96
97 # Block: X / VNC / NFS / SMB
98 block in quick on tun0 proto tcp from any to any port 5999 >< 6065 # X
99 block in quick on tun0 proto tcp from any to any port 5899 >< 5911 # VNC
100 block in quick on tun0 proto tcp from any to any port = 2049 # NFS
101 block in quick on tun0 proto tcp from any to any port 136 >< 140 # SMB
------------------------------------------------------------------------
OpenBSD ipnat.rules
Line 11 should be forwarding telnet to ssh.
------------------------------------------------------------------------
1 # $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
2 #
3 # See /usr/share/ipf/nat.1 for examples.
4 # edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
5
6 # Forward incoming ssh and http to navel
7 rdr tun0 0/0 port 22 -> 192.168.0.32 port 22
8 rdr tun0 0/0 port 80 -> 192.168.0.32 port 80
9
10 # ...and, whilst in Oz, 23 to navel:22
11 rdr tun0 0/0 port 23 -> 192.168.0.32 port 22
12
13 # Gnapster
14 rdr tun0 0/0 port 6699 -> 192.168.0.32 port 6699
15
16 # Transparent web cache
17 map dc0 192.168.0.1/32 -> 0/32 # FW -> world
18 rdr dc0 0.0.0.0/0 port 80 -> 192.168.0.1 port 8080 # clients -> proxy
19
20 # Dynamic PPP mapping - "ipf -y" must be run with each new connection.
21 map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:65000
22 map tun0 192.168.0.0/24 -> 0/32 # ICMP, etc.
23
24 # uncomment for SMTP forwarding
25 # rdr tun0 <somehost>/32 port 25 -> 192.168.0.32/32 port 25
------------------------------------------------------------------------
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What part of "Gestalt" don't you understand? There is no K5 cabal
http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
Attachment:
pgpTADqnFCYcu.pgp
Description: PGP signature