newbie iptables questions

Woody Hughes netfilter@thewoodman.org
Mon, 9 Jul 2001 21:19:26 -0700 

If I were you with your situation, here's what I would do in order to ssh to
a private routed RFC address:

iptables -t nat -A PREROUTING -p tcp -d <firewall IP> --dport 22 -j
DNAT --to 192.168.1.2:22
iptables -A INPUT -p tcp -s ! <firewall IP> --dport 22 -j DROP
iptables -I INPUT -p tcp -s <authorized_IP> --dport 22 -j ACCEPT

Explanation:

We use iptables on our firewall to alter the Destination packet using DNAT
so that it will forward port 22 (SSH) requests to a server of our
choosing...

We then add a rule to block ALL addresses EXCEPT our firewall IP to port 22.

Finally, we have a specific network or host that we want to SSH
FROM...hence, our authorized IP. We then specify port 22.

When the firewall sees the request from the authorized IP to port 22, it
will automagically DNAT the destination header and send it to the box that
SSH resides upon...(which happens to be our private non-routable address)

Hope that helps...
--
 /* Woody Hughes, MCP
  *  Support Engineer/Systems Admin
  *  Lyris Technologies
  *  -------------------------------
  *  woody@thewoodman.org
  *  http://www.thewoodman.org
  */
----- Original Message -----
From: "gene" <gene01@smalltime.com>
To: <netfilter@lists.samba.org>
Sent: Monday, July 09, 2001 11:15 AM
Subject: newbie iptables questions


> Hello, all.  I've just switched over to iptables from ipchains and
> have a couple questions.
>
> I essentially used the rc.firewall script from the BoingWorld.com
> website, with a few
> modifications.  The first thing I found was http requests from my LAN
> to my firewall/server
> were being blocked while outside connections and masquerading were
> fine.  The logs showed
> the packets were being dropped on the INPUT chain on the lo
> interface.  There was nothing
> in the iptables script mentioning loopback, so I added the line:
>
> $IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
>
> after the icmp, tcp, and udp INPUT chains, but before the generic
> INPUT filters.
> This fixed my problem, but I want to be sure that I did this
> correctly (i.e. securely).
>
> My second question is about port forwarding.  I tried some things
> based on the iptable
> docs and some usenet postings, but with no success.  I want to be
> able to ssh to a computer
> within the LAN from outside.
> I tried this:
>
> $IPTABLES -t nat -A PREROUTING -p tcp -d $STATIC_IP -j DNAT  \
> --destination-port 2222 --to-destination $INTERNAL_COMPUTER:22
>
> But when I try to connect to port 2222 on the firewall machine, I
> just get Connection Refused.
> Nothing shows up in the logs, so I can't figure out where the problem is.
>
> Any advice would be greatly appreciated.
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>    smalltime industries bringing you the latest in
>    interplanetary transport technology, interactive
>    web games, dada, art, poetry and pants.
>    www.smalltime.com  ...... visit early and often
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>