Re: SSH Port Forwarding with iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pascal,

> Because MASQUERADE replaces the original source address (which the SSH
> server cannot reach due to a missing default or subnet route) with the
> address of the output interface eth1 (which the SSH server can reach).
>
> You don't need SNAT nor masquerade. It hides the real source address
> from the server. You just need to add a proper route on the server so it
> knows how to reach the client address via the router.

Yes, I really should have remembered the default gateway - that's
bitten me before.

> Besides, the SNAT rule proposed by Gaspar could not help because it
> works on the external interface, while the missing route on the server
> requires SNAT/MASQUERADE on the internal interface.

I'll remove that rule and try it out next chance I get - people are
already using the connection.

>>> $IPT -A OUTPUT -o $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> $IPT -A OUTPUT -o $INT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> You don't need all the ACCEPT rules when the default policies are ACCEPT
> and there are no DROP/REJECT rules.

yeah, I set those default ACCEPT policies when I was trouble-shooting,
i need to remove them...

>>> $IPT -t nat -A PREROUTING -p tcp -i $EXT_IFACE -d $EXT_IP --dport
>>> $SSH_PORT --sport 1024:65535 -j DNAT --to $SSH_HOST:22
>>> $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST
>>> --dport $SSH_PORT --sport 1024:65535 -m state --state NEW -j ACCEPT
>
> In the FORWARD chain the destination port has already been changed by
> the DNAT rule just like the destination address, so this rule must match
> on destination port 22, not on the original destination port.
>

So you're saying it needs to be this?

$IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST
--dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT

For now, I've actually got it like this (which is working, but I
should lock it down):

-A FORWARD -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

thx,
-bill
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux