SSH and NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm having a slight problem with SSH and NAT. I've got an ADSL
connection with a single static IP, and I'd like to be able to SSH to
any of my boxes within my network, but without having to use separate
ports to do it. Is this possible?

My setup is:

Internet -> ZyXEL ADSL router (192.168.0.1) -> Debian Server
(192.168.0.2) -> box1 (0.3) / box2 (0.4)

What I've tried so far is adding the patch-o-matic stuff for string
matching, so I came up with a rule like this:

iptables -t nat -A PREROUTING -m string --string 'box1.domain.com' -p
tcp --dport 22 -j DNAT --to 192.168.0.3

but this just SSHs to 0.2, instead of forwarding onto 0.3(which is the box running iptables).

Is this actually possible, or am I on to a no-hoper here?

Here's most of my  firewall/iptables script:

#!/bin/bash

IPTABLES=/usr/local/sbin/iptables

flush () {
# Flush tables and set default policies

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F internal
$IPTABLES -X internal
$IPTABLES -F logdrop
$IPTABLES -X logdrop
$IPTABLES -t nat -F
}

def_policy () {
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}

rules () {
$IPTABLES -N logdrop
$IPTABLES -A logdrop -j LOG --log-prefix "INPUT (dropped): "
# $IPTABLES -A logdrop -j ULOG --ulog-prefix "INPUT (dropped): "
$IPTABLES -A logdrop -j DROP

$IPTABLES -N internal
$IPTABLES -A internal -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A internal -s 127.0.0.1 -j ACCEPT
$IPTABLES -A internal -s ! 192.168.0.0/24 -j logdrop

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # www
$IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT # www
$IPTABLES -A INPUT -p tcp --dport 111 -j internal # sunrpc
$IPTABLES -A INPUT -p udp --dport 111 -j internal # sunrpc
$IPTABLES -A INPUT -p tcp --dport 3128 -j internal # squid

$IPTABLES -A INPUT -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s ! 192.168.0.0/24 -j logdrop

$IPTABLES -t nat -A PREROUTING -m string --string 'box1.domain.com' -p tcp --dport 22 -j DNAT --to 192.168.0.3

echo 1 > /proc/sys/net/ipv4/ip_forward
}

rm_mod () {
rmmod -r ipt_LOG
rmmod -r ipt_multiport
rmmod -r ipt_state
rmmod -r ip_conntrack
rmmod -r iptable_filter
rmmod -r ip_tables
}

case "$1" in
  start)
    echo -n "Starting netfilter/iptables firewall"
    flush
    def_policy
    rules
    echo "."
    ;;
  
  restart)
    echo -n "Restarting netfilter/iptables firewall"
    flush
    def_policy
    rules
    echo "."
    ;;

  stop)
    echo -n "Stopping netfilter/iptables firewall"
    flush
    rm_mod
    echo "."
    ;;

   *)
     echo "Usage: /etc/init.d/firewall {start|stop|restart}"
     exit 1
esac

exit 0
     
--End firewall--

Cheers,

James

-- 
James O'Gorman
email: james@xxxxxxxxxxxxxxxx | web: www.netinertia.co.uk
"Life sucks, but death doesn't put out at all...."
-- Thomas J. Kopp
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux