Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 23
Hello, I'm trying to configure Slackware running as router/firewall so that I can connect to the local server in our LAN from the outside network. Here is the situation: WAN_IP ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17

    Iptables SSH forward


    Hello,

    I'm trying to configure Slackware running as router/firewall so that I can connect to the local server in our LAN from the outside network.

    Here is the situation:
    WAN_IP <---> Linux-router <---> 10.1.1.254 <---> 10.1.1.16 (local server)

    I want to access local server by accessing WAN_IP:22299. When I try to do that using putty I get "Connection timed out".
    I can access local server using putty from inside LAN. I also can see the attempts in the router log.

    Could you please help me?

    Here is the corresponding output from iptables-save:

    # Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
    *mangle
    :PREROUTING ACCEPT [2421:1604394]
    :INPUT ACCEPT [268:16384]
    :FORWARD ACCEPT [2140:1586996]
    :OUTPUT ACCEPT [36:3312]
    :POSTROUTING ACCEPT [2176:1590308]
    COMMIT
    # Completed on Wed Apr 4 11:49:06 2012
    # Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
    *nat
    :PREROUTING ACCEPT [260:15156]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [1:52]
    -A PREROUTING -p tcp -m tcp --dport 22299 -j DNAT --to-destination 10.1.1.16:22
    -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
    -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source <WAN-IP>
    COMMIT
    # Completed on Wed Apr 4 11:49:06 2012
    # Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
    *filter
    :INPUT DROP [222:12758]
    :FORWARD ACCEPT [2131:1581295]
    :OUTPUT ACCEPT [36:3312]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -s 10.1.1.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 10.1.1.0/24 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    COMMIT
    # Completed on Wed Apr 4 11:49:06 2012

  2. #2
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    Try this iptables command, but change the 1.2.3.4 to the actual IP that is used on the public internet side:

    iptables -t nat -I PREROUTING -p tcp --dport 22299 -d 1.2.3.4 -j DNAT --to-destination 10.1.1.16:22

    -Maurice

  3. #3
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Thank you for the reply. I've just tried that - it doesn't help.
    I wonder, what else could it be? It must be something with iptables since I can connect to the target server from other LAN computer but not from the outside.

    Quote Originally Posted by Mopar93 View Post
    Try this iptables command, but change the 1.2.3.4 to the actual IP that is used on the public internet side:

    iptables -t nat -I PREROUTING -p tcp --dport 22299 -d 1.2.3.4 -j DNAT --to-destination 10.1.1.16:22

    -Maurice

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Stupid question but is FORWARDing turned on?

    You might want to rethink setting FORWARD to DROP to better protect your network.
    Here are some cleaner rules.

    Code:
    # Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed on Wed Apr 4 11:49:06 2012
    # Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A PREROUTING -i <WAN-INT> -p tcp -m tcp --dport 22299 -j DNAT --to-destination 10.1.1.16:22
    -A POSTROUTING -o <WAN-INT> -j MASQURADE
    COMMIT
    # Completed on Wed Apr 4 11:49:06 2012
    # Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 10.1.1.0/24 -j ACCEPT
    COMMIT
    # Completed on Wed Apr 4 11:49:06 2012

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    What I posted will work as long as you put the correct IP where I put 1.2.3.4 at. Some modems do not have a router built in and some do. That means that the ethernet interface in your firewall machine that is on the wan side is either going to carry the same IP address that is used on the internet or it will have its own local ip which should be a different local network than your internal network. For instance you use the 10.1.1.0/24 network on the inside. Therefore the wan side interface is either going to use the public internet IP address or it's going to use a different network such as 10.0.0.0/24.

    Whatever IP is used on that particular wan side interface is what should go where I put 1.2.3.4. Use the "ifconfig" command to see what IP is assigned to it.

    Also, Lazydog included a suggestion that you should use: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    Be sure to check out his other suggestion to have forwarding turned on.

    Do you have more than one public IP and are using multiple virtual interfaces on the wan side of your firewall? If so, there is another setting you need to make. Let me know and I'll add more.

    -Maurice

  7. #6
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Thank's for your help.

    Quote Originally Posted by Lazydog
    Stupid question but is FORWARDing turned on?
    Yes, forwarding is turned on since I am configured several PREROUTING rules to reach several machines inside LAN via remote desktop from the internet.
    Regarding default DROP policy for FORWARD chain. LAN computers can't browse internet when I do this. I need to add more rules probably but I will deal with that later

    Quote Originally Posted by Lazydog
    -A POSTROUTING -o <WAN-INT> -j MASQURADE
    I tried that. Doesn't help. I suppose I should use:
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
    instead of MASQUARADE since my WAN IP is static, not dynamic. Or should I use MASQUARADE anyway?

    Quote Originally Posted by Mopar93
    Whatever IP is used on that particular wan side interface is what should go where I put 1.2.3.4. Use the "ifconfig" command to see what IP is assigned to it.
    Yes, I know my WAN IP and I'm using it correctly as you told.

    Quote Originally Posted by Mopar93
    Also, Lazydog included a suggestion that you should use: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    This is included in my rules.

    Quote Originally Posted by Mopar93
    Do you have more than one public IP and are using multiple virtual interfaces on the wan side of your firewall? If so, there is another setting you need to make. Let me know and I'll add more.
    No, no multiple interfaces on WAN side.

    So according to your suggestion I paste my iptables rules script. Could you please take a look and tell me what else should I try. Also I don't understand one thing. I cannot ping from firewall machine to the lan server I want to reach through SSH although I can ping all the other servers. And from any computer inside LAN I can ping the server that I want to ssh. The firewall of target server is turned off. Maybe the problem lies not in iptables?..
    Code:
    #!/bin/bash
    
    # Flush all rules, and all custom tables
    iptables --flush
    iptables --delete-chain
    iptables -t nat --flush
    iptables -t nat --delete-chain
    iptables -t mangle --flush
    iptables -t mangle --delete-chain
    
    # Set default policies for all three default chains
    iptables -P INPUT DROP
    iptables -P FORWARD ACCEPT
    
    # It's probably save to let all the output go freely
    iptables -P OUTPUT ACCEPT
    
    # Enable free use of loopback interfaces
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # All TCP sessions should begin with SYN
    # iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
    iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    
    # Accept inbound ICMP messages
    iptables -A INPUT -p ICMP --icmp-type 8 -s 10.1.1.0/24 -j ACCEPT
    
    # Don't restrict activity from local network
    iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT
    
    # Allow all forwarding from LAN to WAN. Without this LAN computers can't communivate with the outside world, e.g. browse the internet
    # iptables -A FORWARD -i eth1 -j ACCEPT
    
    # Allow SSH
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    iptables -t nat -I PREROUTING -p tcp -m tcp --dport 22299 -d <WAN-IP> -i eth0 -j DNAT --to-destination 10.1.1.16:22
    
    # Masquarading (should be used with dynamic public IP)
    # Masquarade connections from Altas main LAN
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
    # Masquarade connections from Altas wireless LAN
    #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
    
    # NAT to public IP
    # NAT connections from Altas main LAN
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
    # NAT connections from Altas wireless LAN
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source <WAN-IP>

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Try these rules;

    Code:
    #!/bin/bash
    
    # Flush all rules, and all custom tables
    iptables --flush
    iptables --delete-chain
    iptables -t nat --flush
    iptables -t nat --delete-chain
    iptables -t mangle --flush
    iptables -t mangle --delete-chain
    
    # Set default policies for all three default chains
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    # Enable free use of loopback interfaces
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Setup Inbound connections that are allowed
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -s 10.1.1.0/24 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p ICMP --icmp-type 8 -s 10.1.1.0/24 -j ACCEPT
    
    # Setup DNAT rules for SSH
    iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp -m state --state NEW --dport 22299 -j DNAT --to-destination 10.1.1.16:22
    
    # Setup FORWARD Rules
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
    
    # Setup Masquerade for outgoing packets
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    I always use MASQUERADE as it is easier to do then playing with the SNAT.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #8
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Lazydog View Post
    Try these rules
    I added your rules (except the ones related to forwarding) with no luck. I still can't connect to local server through SSH from the internet. Pity I cannot test and play with it thoroughly since it's production environment and I add rules mostly remotely I'm curious what I do wrong. As I understand there is no need to add FORWARD rules if FORWARD policy is set to ACCEPT. And there are very few examples of SSH forwarding on the net that I found.
    If you have any other ideas, please let me know.

  10. #9
    Just Joined!
    Join Date
    Mar 2005
    Location
    Charlotte, MI
    Posts
    8
    It's starting to sound like you might have a routing problem from the firewall machine to the machine you want to SSH to. If you can't ping it, you won't be able to solve your SSH problem either.

    I looked at your first message again and see that you have two internal networks, 192.x and 10.x. Does this mean that you have 3 interfaces in the firewall machine, one for the WAN and two for the two LAN networks?

    -Maurice

  11. #10
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Quote Originally Posted by Mopar93 View Post
    Does this mean that you have 3 interfaces in the firewall machine, one for the WAN and two for the two LAN networks?
    No, there is only 1 LAN interface, but virtual interfaces are used to create separate LANS. I attach my ifconfig:

    Code:
    eth0      Link encap:Ethernet  HWaddr <MAC>
              inet addr:<WAN-IP>  Bcast:<WAN-BC>  Mask:255.255.255.0
              inet6 addr: <WAN-IP> Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:20083755 errors:0 dropped:8610 overruns:0 frame:0
              TX packets:20318709 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:2242641031 (2138.7 Mb)  TX bytes:3347935774 (3192.8 Mb)
              Interrupt:9 Base address:0x8000 
    
    eth1      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:10.1.1.254  Bcast:10.1.1.255  Mask:255.255.255.0
              inet6 addr: fe80::215:5dff:fe01:c03/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:20741018 errors:0 dropped:89 overruns:0 frame:0
              TX packets:17898814 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:3422739442 (3264.1 Mb)  TX bytes:2761947693 (2633.9 Mb)
              Interrupt:9 Base address:0x2000 
    
    eth1:1    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:10.1.1.251  Bcast:10.1.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:9 Base address:0x2000 
    
    eth1:2    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
              inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:9 Base address:0x2000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:8 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:536 (536.0 b)  TX bytes:536 (536.0 b)

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •