Port forward ssh request - how to see original client IP

**eCubeH** · 12-13-2010

Hi -

I didn't quite know how to search for this - if its already answered somewhere, please excuse me and direct me to the answer.

I have my ADSL modem hooked to a firewall (Fedora 12 i686). On the firewall's 2nd NIC, it is connected to my internal LAN. The firewall merely allows sshd and httpd requests, and port forwards them to a server inside the LAN. The web server uses Fedora 13 x86_64.

I use Gnome_Log_Viewer to see the log trace. On the Firewall, I don't see any requests coming in. On the Server, I see someone continuously trying (and failing) to break in by connecting va ssh (using all kinds of user names etc). In Gnome_Log_Viewer, I see the requesting IP as the Firewall IP, with a different port number each time.

Can someone tell how to be able to see the IP of the the real client (outside this network) who is trying to connect in?

Thanks

**Lazydog** · 12-20-2010

From what you are posting it sounds like your firewall is compromised and the attacker is already logged onto the firewall and is now attempting to break into your internal systems.

**eCubeH** · 12-20-2010

Thanks for replying. For the immediate I got around it by changing the port associated with sshd. So not getting those hits now.

But no the firewall is not compromised. It is simply port forwarding all sshd (earlier port 22, now the new port) requests to the inner server. In any case, I shut down the sshd on the firewall, since it is not needed there, only on the inner server. I of course can ssh into my server (behind the firewall) by specifying the right port. And the guy trying to break in is *NOT* logged in to the firewall.

So any addnl thoughts would be welcome. It should be a fairly straightforward thing to do, only I don't know how to see the original IP. Am sure its some simple configuration setup somewhere ...

**Lazydog** · 12-20-2010

Yes, run fail2ban. This program watches your firewall logs and when some is attempting to break in it'll block them at the firewall.

**eCubeH** · 12-20-2010

I don't think this would work. My firewall logs were not showing any requests or login failures, probably since the requests were simply being port forwarded to the inner server. So placing this tool on the firewall would not help.

And the inner server simply shows the IP of the firewall as the requestor, so placing this app there would block the firewall. What I would like is for the server log to show the original client IP.

I am however able to block it simply by changing the sshd port, for now.

And also blocking the client IP may not be useful if he is doing some IP spoofing. But I thought I would just see what IP he is using, even if spoofing.

**rcgreen** · 12-20-2010

The firewall may be misconfigured in some way. I have
used port forwarding before, and I think the server
logs always gave me the IP of external clients. Of course,
I was using a typical home/office type router with NAT.

Maybe someone could help if you post your iptables rules.

**eCubeH** · 12-20-2010

Note - I haved XXXXX'd out the port I am using for ssh - it is something like 12345
__________________________________________________ ___________

Code:

[root@firewall ~]# iptables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:XXXXX 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11        state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11        state NEW tcp dpt:XXXXX 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

__________________________________________________ ___________

Code:

[root@innerWebServer ~]# iptables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:XXXXX 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:68 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

**Lazydog** · 12-20-2010

The reason you are not seeing any IP Addresses is because you are not logging any packets. You need a logging rule in order to have the packets logged.

You should change the following:

Make a new chain for logging.

Code:

-A LOG-NEW -j LOG --log-prefix "[FW NEW] : " --log-tcp-options --log-ip-options
-A LOG-NEW -j ACCEPT

And then change all the NEW ACCEPT rules as follows.

Code:

-A OUTPUT -i <ITF> -p tcp -m tcp --dport 80 -m state --state NEW -j LOG-NEW

(The above you should change to match your rules)

What this does is when a new connection to the web server is attempted to be made the rule will drop the packet to the Logging chain before it is accepted.

Take a look at this TUTORIAL.

**eCubeH** · 12-22-2010

Thanks much, all. Our servers have been tied up with some urgent tasks for a few days. As soon as they get available, I will test and post results.

Appreciate the help!

**eCubeH** · 01-27-2011

Lazydog, rcgreen, thanks!

I tried this (added the prerouting lines in red), and it works well

-A PREROUTING -i eth0 -p tcp --dport 80 -j LOG --log-prefix "HTTP_PortForward: " --log-tcp-options --log-ip-options
-A PREROUTING -i eth0 -p tcp --dport XXXX -j LOG --log-prefix "SSH_PortForward: " --log-tcp-options --log-ip-options

-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.11
-A PREROUTING -i eth0 -p tcp --dport XXXX -j DNAT --to-destination 192.168.1.11

Thread Tools

Display

Port forward ssh request - how to see original client IP

No that's not the case

Thanks but

I should have provided this earlier...

Thanks, Works well

Posting Permissions