Re: iptables question

To: deloptes@gmail.com
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: iptables question
From: Igor Cicimov <icicimov@gmail.com>
Date: Mon, 14 Nov 2016 13:01:09 +1100
Message-id: <[🔎] CAAKASGwMC8N0Ycq_FtdQj5uvby6po_LPngp_jvPso9gfFgfYag@mail.gmail.com>
In-reply-to: <[🔎] o08bim$b11$1@blaine.gmane.org>
References: <[🔎] o080pt$ok8$1@blaine.gmane.org> <[🔎] 20161112223216.2c7cf605@jresid.jretrading.com> <[🔎] o08bim$b11$1@blaine.gmane.org>

On 13 Nov 2016 11:20 am, "deloptes" <deloptes@gmail.com> wrote:
>
> Joe wrote:
>
> > On Sat, 12 Nov 2016 22:15:45 +0100
> > deloptes <deloptes@gmail.com> wrote:
> >
> >> Hi,
> >> I need some help and I'll appreciate it.
> >>
> >> I have a firewall with iptables behind the modem.
> >> on this firewall I have
> >> eth0 with ip 10..1 to the modem ip: 10..12
> >> eth1 with ip 192..1 to the intranet
> >>
> >> iptables is doing SNAT from 192..1 to 10..1
> >>
> >> I wonder how I can ssh from 192..NN to 10..NN
> >> What magic should I apply to make it happen?
> >>
> >> Thanks in advance
> >>
> >>
> >
> > Can we take it that this does not work now? If that is the case, are
> > you sure that iptables is preventing it? There are other possible
> > reasons for a new ssh link not to work.
> >
>
> Yes, it is not working and yes it might be a different issue. So here is
> some additional information, if you wish.
>
> >From one computer ip 10..6 I can ssh to 10..7 and vv.
> I also see that iptables forwards to the output, but in the output nothing
> happens. So it is either in the output chain, or the back route blocks.
>
> > A typical simple iptables script will allow what you want to do to
> > happen already, so there must either be some iptables restriction in
> > place now, or there is some other reason for ssh not working. Are you
> > able to connect to the modem web configuration page from the 192.
> > network?
> >
>
> Yes I forgot to mention that I can connect from 192..NN to the modem ip via
> ssh lets say 10..200.
>
> On the modem there is also firewall. I tried disableing it but it did not
> help.
>
> And you can bet there is restriction - basically it is pretty tight and is
> opened only what is needed to intranet and basically all to modem net
>
> > The SNAT should not be an issue, it can handle all protocols
> > transparently, and ssh uses the same tcp protocol as http.
> >
> > If there are iptables restrictions on outgoing protocols, you need to
> > find the rule permitting tcp/80 to be forwarded, copy it and replace 80
> > with 22. Once this is working, we can restrict the destination to the
> > 10. network, as presumably any existing port 80 rule allows connection
> > to anywhere and you may not want that for ssh.
>
> there is nothing regarding the output - no rules based on ports
>
> thanks
>

Run tcpdump and check whats happening

Reply to:

Follow-Ups:
- Re: iptables question
  - From: deloptes <deloptes@gmail.com>

References:
- iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Joe <joe@jretrading.com>
- Re: iptables question
  - From: deloptes <deloptes@gmail.com>

Prev by Date: Re: iptables question
Next by Date: hello my friend
Previous by thread: Re: iptables question
Next by thread: Re: iptables question
Index(es):
- Date
- Thread