Sending a connection to another machine...

Arne Sagnes ASagnes@Tickets.com
31 Jan 2002 15:03:37 -0500 

Hello yet again....
  I finally managed to figure out what was needed.  A masquerade +
invidivual accepts for the returned connections.  If anyone at all is
interested in the final results, email me. :-)

Arne

On Thu, 2002-01-31 at 09:58, Arne Sagnes wrote:
> Hello again,
>   I was able to dig up a script and some help on getting SSH forwarding
> going.  Now that I have that working, I want to add to it.  I'd like to
> set up load balancing so that I can spread the SSH load between several
> different machines.  Now....  I've included the script in here, but
> simply changing the "-too" field from having one address to having
> "10.1.3.17-10.1.3.19" doesn't seem to work.  I see the connections
> coming through to the other boxes, but it doesn't look like I'm sending
> them back properly.  Does anyone have any ideas?  Thanks in advance.
> 
> Arne
> 
> On Wed, 2002-01-30 at 22:09, Arne Sagnes wrote:
> > Hello everyone,
> >   I've been trying to figure out how to simply send a connection to
> > machine1:22 to machine2:22.  I've read through the FAQs and searched the
> > archives, but I can not find a solution to my problem.  My problem is
> > this: when I attempt to use SSH (or simply 'telnet machine1:22'), the
> > connection just hangs.  I log all packets coming in to machine2, and it
> > does not show any evidence that the connection is going through.  Here's
> > the line I use to forward the connection:
> > 
> > ---SNIP---
> > iptables -t nat -F
> > iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.1.3.17 --dport 22 -j
> > DNAT --to-destination 10.1.3.19:22
> > ---SNIP---
> > 
> >   10.1.3.17 is the mahchine I will SSH to from a seperate machine
> > (coming in on eth0), and I want that connection forwarded to 10.1.3.19. 
> > When I attempt to SSH to 10.1.3.17, the connection simply sits there
> > until it times.  I'm running a default installation of Red Hat 7.2 with
> > kernel 2.4.7-10.  Does anyone have any ideas?  Any help would be GREATLY
> > appreciated.  Thanks!
> > 
> > Arne
> > -- 
> > Arne Sagnes - Email: asagnes@tickets.com
> > Work: +1 216 787 8613 - Cell: +1 216 577 2319
> > Be careful of reading health books, you might die of a misprint.
> > 
> -- 
> Arne Sagnes - Email: asagnes@tickets.com
> Work: +1 216 787 8613 - Cell: +1 216 577 2319
> Be careful of reading health books, you might die of a misprint.
> 
> ----
> 

> #!/bin/bash
> 
> SERVER_RANGE=192.168.202.17:22
> IPTABLES=/sbin/iptables
> 
> # Flush old rules.
> $IPTABLES -t nat -F
> /etc/rc.d/init.d/iptables stop
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> # Loopback interface device
> LPDIF=lo
> 
> 
> # Loopback Device IP Address
> LPDIP=127.0.0.1
> 
> 
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> 
> 
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> 
> $IPTABLES -F -t nat
> $IPTABLES -F -t mangle
> 
> # Disable response to broadcasts: we don't to become a Smurf amplifi
> 
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> 
> # Don't accept source routed packets. Attackers can use source routing to generate
> # traffic pretending to be from inside your network, but which is routed back along
> # the path from which it came, namely outside, so attackers can compromise your
> # network. Source routing is rarely used for legitimate purposes.
> #echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> 
> # Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
> # tables, possibly to a bad end.
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> 
> # Enable bad error message protection.
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> 
> # Log spoofed packets, source routed packets, redirect packets.
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> 
> $IPTABLES -t nat -A PREROUTING -i eth0 -s 0.0.0.0/0 -p tcp -d 10.1.3.21 --dport 22 -j DNAT --to 10.1.3.17
> 
> $IPTABLES -A FORWARD -i eth0 -s 0/0 -p tcp --dport 22 -j ACCEPT
> 
> $IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
> 
> $IPTABLES -A INPUT -s 0.0.0.0/0 -j ACCEPT
> 
> 
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -P INPUT DROP
> 
> 
> # Allow all ICMP traffic
> $IPTABLES -A INPUT -p icmp -j ACCEPT
> 
> 
> # The following rule is needed to make SSH X-Forwarding work
> $IPTABLES -A INPUT -i $LPDIF -p all -j ACCEPT
> 
> 
> $IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
> 
> $IPTABLES -A INPUT -i eth0 -s 0.0.0.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 
> 
> # Kill malformed packets
> 
> # Block XMAS packets
> 
> $IPTABLES -A INPUT   -p tcp --tcp-flags ALL ALL  -j DROP
> $IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL  -j DROP
> 
> # Block NULL packets
> 
> $IPTABLES -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
> $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> 
> $IPTABLES -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --
> 
-- 
Arne Sagnes - Email: asagnes@tickets.com
Work: +1 216 787 8613 - Cell: +1 216 577 2319
Be careful of reading health books, you might die of a misprint.