Sending a connection to another machine...
31 Jan 2002 09:58:56 -0500
I was able to dig up a script and some help on getting SSH forwarding
going. Now that I have that working, I want to add to it. I'd like to
set up load balancing so that I can spread the SSH load between several
different machines. Now.... I've included the script in here, but
simply changing the "-too" field from having one address to having
"10.1.3.17-10.1.3.19" doesn't seem to work. I see the connections
coming through to the other boxes, but it doesn't look like I'm sending
them back properly. Does anyone have any ideas? Thanks in advance.
On Wed, 2002-01-30 at 22:09, Arne Sagnes wrote:
> Hello everyone,
> I've been trying to figure out how to simply send a connection to
> machine1:22 to machine2:22. I've read through the FAQs and searched the
> archives, but I can not find a solution to my problem. My problem is
> this: when I attempt to use SSH (or simply 'telnet machine1:22'), the
> connection just hangs. I log all packets coming in to machine2, and it
> does not show any evidence that the connection is going through. Here's
> the line I use to forward the connection:
> iptables -t nat -F
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.1.3.17 --dport 22 -j
> DNAT --to-destination 10.1.3.19:22
> 10.1.3.17 is the mahchine I will SSH to from a seperate machine
> (coming in on eth0), and I want that connection forwarded to 10.1.3.19.
> When I attempt to SSH to 10.1.3.17, the connection simply sits there
> until it times. I'm running a default installation of Red Hat 7.2 with
> kernel 2.4.7-10. Does anyone have any ideas? Any help would be GREATLY
> appreciated. Thanks!
> Arne Sagnes - Email: email@example.com
> Work: +1 216 787 8613 - Cell: +1 216 577 2319
> Be careful of reading health books, you might die of a misprint.
Arne Sagnes - Email: firstname.lastname@example.org
Work: +1 216 787 8613 - Cell: +1 216 577 2319
Be careful of reading health books, you might die of a misprint.
Content-Disposition: attachment; filename=ssh_nat.sh
Content-Type: text/x-sh; charset=ISO-8859-1
# Flush old rules.
$IPTABLES -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
# Loopback interface device
# Loopback Device IP Address
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
# Disable response to broadcasts: we don't to become a Smurf amplifi
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to g=
# traffic pretending to be from inside your network, but which is routed ba=
# the path from which it came, namely outside, so attackers can compromise =
# network. Source routing is rarely used for legitimate purposes.
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter you=
# tables, possibly to a bad end.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Log spoofed packets, source routed packets, redirect packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i eth0 -s 0.0.0.0/0 -p tcp -d 10.1.3.21 --d=
port 22 -j DNAT --to 10.1.3.17
$IPTABLES -A FORWARD -i eth0 -s 0/0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/0 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -P INPUT DROP
# Allow all ICMP traffic
$IPTABLES -A INPUT -p icmp -j ACCEPT
# The following rule is needed to make SSH X-Forwarding work
$IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT
$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 0.0.0.0/24 -p tcp --dport 22 -m state --state=
NEW,ESTABLISHED,RELATED -j ACCEPT=20
# Kill malformed packets
# Block XMAS packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --