Sending a connection to another machine...

Arne Sagnes ASagnes@Tickets.com
31 Jan 2002 09:58:56 -0500 

--=-RWynFyKzN4EN+AAb+/8u
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello again,
  I was able to dig up a script and some help on getting SSH forwarding
going.  Now that I have that working, I want to add to it.  I'd like to
set up load balancing so that I can spread the SSH load between several
different machines.  Now....  I've included the script in here, but
simply changing the "-too" field from having one address to having
"10.1.3.17-10.1.3.19" doesn't seem to work.  I see the connections
coming through to the other boxes, but it doesn't look like I'm sending
them back properly.  Does anyone have any ideas?  Thanks in advance.

Arne

On Wed, 2002-01-30 at 22:09, Arne Sagnes wrote:
> Hello everyone,
>   I've been trying to figure out how to simply send a connection to
> machine1:22 to machine2:22.  I've read through the FAQs and searched the
> archives, but I can not find a solution to my problem.  My problem is
> this: when I attempt to use SSH (or simply 'telnet machine1:22'), the
> connection just hangs.  I log all packets coming in to machine2, and it
> does not show any evidence that the connection is going through.  Here's
> the line I use to forward the connection:
> 
> ---SNIP---
> iptables -t nat -F
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.1.3.17 --dport 22 -j
> DNAT --to-destination 10.1.3.19:22
> ---SNIP---
> 
>   10.1.3.17 is the mahchine I will SSH to from a seperate machine
> (coming in on eth0), and I want that connection forwarded to 10.1.3.19. 
> When I attempt to SSH to 10.1.3.17, the connection simply sits there
> until it times.  I'm running a default installation of Red Hat 7.2 with
> kernel 2.4.7-10.  Does anyone have any ideas?  Any help would be GREATLY
> appreciated.  Thanks!
> 
> Arne
> -- 
> Arne Sagnes - Email: asagnes@tickets.com
> Work: +1 216 787 8613 - Cell: +1 216 577 2319
> Be careful of reading health books, you might die of a misprint.
> 
-- 
Arne Sagnes - Email: asagnes@tickets.com
Work: +1 216 787 8613 - Cell: +1 216 577 2319
Be careful of reading health books, you might die of a misprint.

--=-RWynFyKzN4EN+AAb+/8u
Content-Disposition: attachment; filename=ssh_nat.sh
Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-sh; charset=ISO-8859-1

#!/bin/bash

SERVER_RANGE=3D192.168.202.17:22
IPTABLES=3D/sbin/iptables

# Flush old rules.
$IPTABLES -t nat -F
/etc/rc.d/init.d/iptables stop
echo 1 > /proc/sys/net/ipv4/ip_forward

# Loopback interface device
LPDIF=3Dlo


# Loopback Device IP Address
LPDIP=3D127.0.0.1


$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

$IPTABLES -F -t nat
$IPTABLES -F -t mangle

# Disable response to broadcasts: we don't to become a Smurf amplifi

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to g=
enerate
# traffic pretending to be from inside your network, but which is routed ba=
ck along
# the path from which it came, namely outside, so attackers can compromise =
your
# network. Source routing is rarely used for legitimate purposes.
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter you=
r routing
# tables, possibly to a bad end.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log spoofed packets, source routed packets, redirect packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE


$IPTABLES -t nat -A PREROUTING -i eth0 -s 0.0.0.0/0 -p tcp -d 10.1.3.21 --d=
port 22 -j DNAT --to 10.1.3.17

$IPTABLES -A FORWARD -i eth0 -s 0/0 -p tcp --dport 22 -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

$IPTABLES -A INPUT -s 0.0.0.0/0 -j ACCEPT


$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -P INPUT DROP


# Allow all ICMP traffic
$IPTABLES -A INPUT -p icmp -j ACCEPT


# The following rule is needed to make SSH X-Forwarding work
$IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT


$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT

$IPTABLES -A INPUT -i eth0 -s 0.0.0.0/24 -p tcp --dport 22 -m state --state=
 NEW,ESTABLISHED,RELATED -j ACCEPT=20

# Kill malformed packets

# Block XMAS packets

$IPTABLES -A INPUT   -p tcp --tcp-flags ALL ALL  -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL  -j DROP

# Block NULL packets

$IPTABLES -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --


--=-RWynFyKzN4EN+AAb+/8u--