Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hi - I didn't quite know how to search for this - if its already answered somewhere, please excuse me and direct me to the answer. I have my ADSL ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2007
    Posts
    7

    Port forward ssh request - how to see original client IP


    Hi -

    I didn't quite know how to search for this - if its already answered somewhere, please excuse me and direct me to the answer.

    I have my ADSL modem hooked to a firewall (Fedora 12 i686). On the firewall's 2nd NIC, it is connected to my internal LAN. The firewall merely allows sshd and httpd requests, and port forwards them to a server inside the LAN. The web server uses Fedora 13 x86_64.

    I use Gnome_Log_Viewer to see the log trace. On the Firewall, I don't see any requests coming in. On the Server, I see someone continuously trying (and failing) to break in by connecting va ssh (using all kinds of user names etc). In Gnome_Log_Viewer, I see the requesting IP as the Firewall IP, with a different port number each time.

    Can someone tell how to be able to see the IP of the the real client (outside this network) who is trying to connect in?

    Thanks

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    From what you are posting it sounds like your firewall is compromised and the attacker is already logged onto the firewall and is now attempting to break into your internal systems.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2007
    Posts
    7

    No that's not the case

    Thanks for replying. For the immediate I got around it by changing the port associated with sshd. So not getting those hits now.

    But no the firewall is not compromised. It is simply port forwarding all sshd (earlier port 22, now the new port) requests to the inner server. In any case, I shut down the sshd on the firewall, since it is not needed there, only on the inner server. I of course can ssh into my server (behind the firewall) by specifying the right port. And the guy trying to break in is *NOT* logged in to the firewall.

    So any addnl thoughts would be welcome. It should be a fairly straightforward thing to do, only I don't know how to see the original IP. Am sure its some simple configuration setup somewhere ...

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Yes, run fail2ban. This program watches your firewall logs and when some is attempting to break in it'll block them at the firewall.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Jun 2007
    Posts
    7

    Thanks but

    I don't think this would work. My firewall logs were not showing any requests or login failures, probably since the requests were simply being port forwarded to the inner server. So placing this tool on the firewall would not help.

    And the inner server simply shows the IP of the firewall as the requestor, so placing this app there would block the firewall. What I would like is for the server log to show the original client IP.

    I am however able to block it simply by changing the sshd port, for now.

    And also blocking the client IP may not be useful if he is doing some IP spoofing. But I thought I would just see what IP he is using, even if spoofing.

  7. #6
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,134
    The firewall may be misconfigured in some way. I have
    used port forwarding before, and I think the server
    logs always gave me the IP of external clients. Of course,
    I was using a typical home/office type router with NAT.

    Maybe someone could help if you post your iptables rules.

  8. #7
    Just Joined!
    Join Date
    Jun 2007
    Posts
    7

    I should have provided this earlier...

    Note - I haved XXXXX'd out the port I am using for ssh - it is something like 12345
    __________________________________________________ ___________
    Code:
    [root@firewall ~]# iptables --list -n
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:XXXXX 
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11        state NEW tcp dpt:80 
    ACCEPT     tcp  --  0.0.0.0/0            192.168.1.11        state NEW tcp dpt:XXXXX 
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    __________________________________________________ ___________
    Code:
    [root@innerWebServer ~]# iptables --list -n
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:XXXXX 
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67 
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:68 
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    Last edited by MikeTbob; 12-22-2010 at 04:56 AM. Reason: Added Code Tags

  9. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The reason you are not seeing any IP Addresses is because you are not logging any packets. You need a logging rule in order to have the packets logged.

    You should change the following:

    Make a new chain for logging.

    Code:
    -A LOG-NEW -j LOG --log-prefix "[FW NEW] : " --log-tcp-options --log-ip-options
    -A LOG-NEW -j ACCEPT
    And then change all the NEW ACCEPT rules as follows.

    Code:
    -A OUTPUT -i <ITF> -p tcp -m tcp --dport 80 -m state --state NEW -j LOG-NEW
    (The above you should change to match your rules)

    What this does is when a new connection to the web server is attempted to be made the rule will drop the packet to the Logging chain before it is accepted.

    Take a look at this TUTORIAL.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #9
    Just Joined!
    Join Date
    Jun 2007
    Posts
    7
    Thanks much, all. Our servers have been tied up with some urgent tasks for a few days. As soon as they get available, I will test and post results.

    Appreciate the help!

  11. #10
    Just Joined!
    Join Date
    Jun 2007
    Posts
    7

    Thanks, Works well

    Lazydog, rcgreen, thanks!

    I tried this (added the prerouting lines in red), and it works well


    -A PREROUTING -i eth0 -p tcp --dport 80 -j LOG --log-prefix "HTTP_PortForward: " --log-tcp-options --log-ip-options
    -A PREROUTING -i eth0 -p tcp --dport XXXX -j LOG --log-prefix "SSH_PortForward: " --log-tcp-options --log-ip-options


    -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.11
    -A PREROUTING -i eth0 -p tcp --dport XXXX -j DNAT --to-destination 192.168.1.11

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •