Iptables SSH forward

[vytas]

Hello,

I'm trying to configure Slackware running as router/firewall so that I can connect to the local server in our LAN from the outside network.

Here is the situation:
WAN_IP <---> Linux-router <---> 10.1.1.254 <---> 10.1.1.16 (local server)

I want to access local server by accessing WAN_IP:22299. When I try to do that using putty I get "Connection timed out".
I can access local server using putty from inside LAN. I also can see the attempts in the router log.

Could you please help me?

Here is the corresponding output from iptables-save:

# Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
*mangle
:PREROUTING ACCEPT [2421:1604394]
:INPUT ACCEPT [268:16384]
:FORWARD ACCEPT [2140:1586996]
:OUTPUT ACCEPT [36:3312]
:POSTROUTING ACCEPT [2176:1590308]
COMMIT
# Completed on Wed Apr 4 11:49:06 2012
# Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
*nat
:PREROUTING ACCEPT [260:15156]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:52]
-A PREROUTING -p tcp -m tcp --dport 22299 -j DNAT --to-destination 10.1.1.16:22
-A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source <WAN-IP>
COMMIT
# Completed on Wed Apr 4 11:49:06 2012
# Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
*filter
:INPUT DROP [222:12758]
:FORWARD ACCEPT [2131:1581295]
:OUTPUT ACCEPT [36:3312]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -s 10.1.1.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 10.1.1.0/24 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Wed Apr 4 11:49:06 2012

[Mopar93]

Try this iptables command, but change the 1.2.3.4 to the actual IP that is used on the public internet side:

iptables -t nat -I PREROUTING -p tcp --dport 22299 -d 1.2.3.4 -j DNAT --to-destination 10.1.1.16:22

-Maurice

[vytas]

Thank you for the reply. I've just tried that - it doesn't help.
I wonder, what else could it be? It must be something with iptables since I can connect to the target server from other LAN computer but not from the outside.

Try this iptables command, but change the 1.2.3.4 to the actual IP that is used on the public internet side:

iptables -t nat -I PREROUTING -p tcp --dport 22299 -d 1.2.3.4 -j DNAT --to-destination 10.1.1.16:22

-Maurice

[Lazydog]

Stupid question but is FORWARDing turned on?

You might want to rethink setting FORWARD to DROP to better protect your network.
Here are some cleaner rules.

Code:

# Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 4 11:49:06 2012
# Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i <WAN-INT> -p tcp -m tcp --dport 22299 -j DNAT --to-destination 10.1.1.16:22
-A POSTROUTING -o <WAN-INT> -j MASQURADE
COMMIT
# Completed on Wed Apr 4 11:49:06 2012
# Generated by iptables-save v1.4.10 on Wed Apr 4 11:49:06 2012
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.1.1.0/24 -j ACCEPT
COMMIT
# Completed on Wed Apr 4 11:49:06 2012

[Mopar93]

What I posted will work as long as you put the correct IP where I put 1.2.3.4 at. Some modems do not have a router built in and some do. That means that the ethernet interface in your firewall machine that is on the wan side is either going to carry the same IP address that is used on the internet or it will have its own local ip which should be a different local network than your internal network. For instance you use the 10.1.1.0/24 network on the inside. Therefore the wan side interface is either going to use the public internet IP address or it's going to use a different network such as 10.0.0.0/24.

Whatever IP is used on that particular wan side interface is what should go where I put 1.2.3.4. Use the "ifconfig" command to see what IP is assigned to it.

Also, Lazydog included a suggestion that you should use: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Be sure to check out his other suggestion to have forwarding turned on.

Do you have more than one public IP and are using multiple virtual interfaces on the wan side of your firewall? If so, there is another setting you need to make. Let me know and I'll add more.

-Maurice

[vytas]

Thank's for your help.

Stupid question but is FORWARDing turned on?

Yes, forwarding is turned on since I am configured several PREROUTING rules to reach several machines inside LAN via remote desktop from the internet.
Regarding default DROP policy for FORWARD chain. LAN computers can't browse internet when I do this. I need to add more rules probably but I will deal with that later

-A POSTROUTING -o <WAN-INT> -j MASQURADE

I tried that. Doesn't help. I suppose I should use:
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
instead of MASQUARADE since my WAN IP is static, not dynamic. Or should I use MASQUARADE anyway?

Whatever IP is used on that particular wan side interface is what should go where I put 1.2.3.4. Use the "ifconfig" command to see what IP is assigned to it.

Yes, I know my WAN IP and I'm using it correctly as you told.

Also, Lazydog included a suggestion that you should use: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This is included in my rules.

Do you have more than one public IP and are using multiple virtual interfaces on the wan side of your firewall? If so, there is another setting you need to make. Let me know and I'll add more.

No, no multiple interfaces on WAN side.

So according to your suggestion I paste my iptables rules script. Could you please take a look and tell me what else should I try. Also I don't understand one thing. I cannot ping from firewall machine to the lan server I want to reach through SSH although I can ping all the other servers. And from any computer inside LAN I can ping the server that I want to ssh. The firewall of target server is turned off. Maybe the problem lies not in iptables?..

Code:

#!/bin/bash

# Flush all rules, and all custom tables
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t mangle --flush
iptables -t mangle --delete-chain

# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT

# It's probably save to let all the output go freely
iptables -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
# iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

# Accept inbound ICMP messages
iptables -A INPUT -p ICMP --icmp-type 8 -s 10.1.1.0/24 -j ACCEPT

# Don't restrict activity from local network
iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT

# Allow all forwarding from LAN to WAN. Without this LAN computers can't communivate with the outside world, e.g. browse the internet
# iptables -A FORWARD -i eth1 -j ACCEPT

# Allow SSH
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 22299 -d <WAN-IP> -i eth0 -j DNAT --to-destination 10.1.1.16:22

# Masquarading (should be used with dynamic public IP)
# Masquarade connections from Altas main LAN
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
# Masquarade connections from Altas wireless LAN
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# NAT to public IP
# NAT connections from Altas main LAN
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j SNAT --to-source <WAN-IP>
# NAT connections from Altas wireless LAN
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source <WAN-IP>

[Lazydog]

Try these rules;

Code:

#!/bin/bash

# Flush all rules, and all custom tables
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t mangle --flush
iptables -t mangle --delete-chain

# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Setup Inbound connections that are allowed
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -s 10.1.1.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 8 -s 10.1.1.0/24 -j ACCEPT

# Setup DNAT rules for SSH
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp -m state --state NEW --dport 22299 -j DNAT --to-destination 10.1.1.16:22

# Setup FORWARD Rules
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state NEW -j ACCEPT

# Setup Masquerade for outgoing packets
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I always use MASQUERADE as it is easier to do then playing with the SNAT.

[vytas]

Try these rules

I added your rules (except the ones related to forwarding) with no luck. I still can't connect to local server through SSH from the internet. Pity I cannot test and play with it thoroughly since it's production environment and I add rules mostly remotely I'm curious what I do wrong. As I understand there is no need to add FORWARD rules if FORWARD policy is set to ACCEPT. And there are very few examples of SSH forwarding on the net that I found.
If you have any other ideas, please let me know.

[Mopar93]

It's starting to sound like you might have a routing problem from the firewall machine to the machine you want to SSH to. If you can't ping it, you won't be able to solve your SSH problem either.

I looked at your first message again and see that you have two internal networks, 192.x and 10.x. Does this mean that you have 3 interfaces in the firewall machine, one for the WAN and two for the two LAN networks?

-Maurice

[vytas]

Does this mean that you have 3 interfaces in the firewall machine, one for the WAN and two for the two LAN networks?

No, there is only 1 LAN interface, but virtual interfaces are used to create separate LANS. I attach my ifconfig:

Code:

eth0      Link encap:Ethernet  HWaddr <MAC>
          inet addr:<WAN-IP>  Bcast:<WAN-BC>  Mask:255.255.255.0
          inet6 addr: <WAN-IP> Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20083755 errors:0 dropped:8610 overruns:0 frame:0
          TX packets:20318709 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2242641031 (2138.7 Mb)  TX bytes:3347935774 (3192.8 Mb)
          Interrupt:9 Base address:0x8000 

eth1      Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
          inet addr:10.1.1.254  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::215:5dff:fe01:c03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20741018 errors:0 dropped:89 overruns:0 frame:0
          TX packets:17898814 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3422739442 (3264.1 Mb)  TX bytes:2761947693 (2633.9 Mb)
          Interrupt:9 Base address:0x2000 

eth1:1    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
          inet addr:10.1.1.251  Bcast:10.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:9 Base address:0x2000 

eth1:2    Link encap:Ethernet  HWaddr 00:15:5D:01:0C:03  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:9 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:536 (536.0 b)  TX bytes:536 (536.0 b)