sorry, it does not make sense because it is a reverse tunnel. that is, the server that is running the firewall gets the connection requests on that port (2222). i see that the port opens (can see it using nmap) up as soon as the tunnel is up. however, IPTABLES does not have that port open. that is what is confusing. On Sun, Jan 29, 2017 at 10:35 PM, Mark Coetser <mark@xxxxxxxxxxxx> wrote: > Your ssh tunnel is from Port 2222 to 22 so iptables with port 22 is valid. > > Thank you, > > Mark Adrian Coetser > mark@xxxxxxxxxxxx > > > > > On 29 January 2017 5:35:08 PM deva seetharam <deva.seetharam@xxxxxxxxx> > wrote: > >> I have setup a reverse ssh tunnel using the following command between >> a Linux laptop and a remote server: >> >> ssh -4nNT -R 2222:localhost:22 somehost.com >> That is, the laptop, which is behind a firewall, can be accessed over >> ssh using the following command: >> >> ssh -p 2222 -l joe somehost.com >> >> on sshd_config of somehost.com, i have enabled Gatewayports=yes. >> >> I am glad to say all these work fine. However, one thing beats me: >> there is an `iptables` running on somehost.com that does NOT have the >> port 2222 opened. In spite of this tunnel works, how is that possible? >> how does iptables handle gateway ports of ssh? could anyone kindly >> explain? thanks in advance. >> >> here is the output of iptables -L: >> >> target prot opt source destination >> >> ACCEPT icmp -- anywhere anywhere >> icmp destination-unreachable >> ACCEPT icmp -- anywhere anywhere >> icmp time-exceeded >> ACCEPT icmp -- anywhere anywhere >> icmp echo-request >> ACCEPT icmp -- anywhere anywhere >> icmp echo-reply >> DROP tcp -f anywhere anywhere >> DROP tcp -- anywhere anywhere >> tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG >> DROP tcp -- anywhere anywhere >> tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE >> DROP tcp -- anywhere anywhere >> tcp flags:FIN,SYN/FIN,SYN >> DROP tcp -- anywhere anywhere >> tcp flags:FIN,ACK/FIN >> DROP tcp -- anywhere anywhere >> tcp flags:SYN,RST/SYN,RST >> DROP tcp -- anywhere anywhere >> tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG >> DROP udp -- anywhere anywhere >> udp spt:bootps dpt:bootpc >> DROP tcp -- anywhere anywhere >> tcp dpt:kazaa >> DROP udp -- anywhere anywhere >> udp dpt:kazaa >> LOG tcp -- anywhere somehost.com tcp >> dpt:ssh state NEW LOG level warning tcp-options ip-options prefix >> "firewall-> ssh1: " >> ACCEPT tcp -- anywhere somehost.com tcp dpt:ssh >> LOG tcp -- anywhere somehost.com tcp >> dpt:2023 state NEW LOG level warning tcp-options ip-options prefix >> "firewall-> Check: " >> ACCEPT tcp -- anywhere somehost.com tcp dpt:2023 >> LOG tcp -- anywhere somehost.com tcp >> dpt:http state NEW LOG level warning tcp-options ip-options prefix >> "firewall-> HTTP: " >> ACCEPT tcp -- anywhere somehost.com tcp dpt:http >> LOG tcp -- anywhere somehost.com tcp >> dpt:https state NEW LOG level warning tcp-options ip-options prefix >> "firewall-> HTTPS: " >> ACCEPT tcp -- anywhere somehost.com tcp dpt:https >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> ACCEPT tcp -- anywhere anywhere tcp >> spt:http >> >> >> -- >> best regards, >> Deva P. Seetharam >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- best regards, Deva P. Seetharam -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
