SSH dnat

SSH dnat

[Ambor]

[-- Attachment #1: Type: text/plain, Size: 523 bytes --]

Hello everyone,

I'm trying to dnat SSH throught the firewall to an internal machine.
 I use following Rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2323 -j DNAT --to-destination internal_IP:2323

eth0 is connected to internet

The problem is that the connection is allrght it just seems that I don't get an answer from the ssh server.
(I'm getting a connection timeout, ot a connection refused)

To be sure I don't filter anything, so all trafic is accepted

Can someone help me?

thx

Ronny

[-- Attachment #2: Type: text/html, Size: 1660 bytes --]

Re: SSH dnat

[Jeroen van Leeuwen]

[-- Attachment #1: Type: text/plain, Size: 1161 bytes --]

are you sure that your server is listening on port 2323?
The rule as i use it is:
iptables -t nat -A PREROUTING -p tcp --dport 2000 -i eth2 -j DNAT --to 10.10.10.1:22

the server is listening on port 22 of 10.10.10.1
reachable from externel on port 2000

grtn jeroen
  ----- Original Message ----- 
  From: Ambor 
  To: netfilter@lists.netfilter.org 
  Sent: Sunday, December 01, 2002 6:52 AM
  Subject: SSH dnat


  Hello everyone,

  I'm trying to dnat SSH throught the firewall to an internal machine.
   I use following Rule

  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2323 -j DNAT --to-destination internal_IP:2323

  eth0 is connected to internet

  The problem is that the connection is allrght it just seems that I don't get an answer from the ssh server.
  (I'm getting a connection timeout, ot a connection refused)

  To be sure I don't filter anything, so all trafic is accepted

  Can someone help me?

  thx

  Ronny


  ---
  Outgoing mail is certified Virus Free.
  Checked by AVG anti-virus system (http://www.grisoft.com).
  Version: 6.0.422 / Virus Database: 237 - Release Date: 20-11-2002

[-- Attachment #2: Type: text/html, Size: 3398 bytes --]

RE: SSH dnat

[hard__ware]

Hello Ambor,

Im not to sure how much you know about gateways / dns
so im going to assume ...

1.) Have you made sure that The Internal SSH Server on
the local lan can use DNS correctly & has internet access
through the IPTables Gateway ( does "route -Nve" on the SSH Server show any
default routes ? )

2.) Have you set up any other kind of DNAT / Hosted services that sit behind
the Firewall that are working ???

3.) Also is your SSH Server Service even running on the right Port (ie in
your case Port: 2323)
you can display all Servers listen Ports with #> netstat -l --inet -nve

anyway good luck with IPTables & NetFilter

cyas...

Hard__warE

( here is a little laugh from a call that i got from a fool that upgraded a
Router / Net Connection On-Site of one of my Clients,
   because of contract reasons they had to the installation, and my company
was not allowed (but we are there Network Administrators ???  )

| MCSE  Tech |: ' No the problem is your fault, this box now needs a
reinstall '

]  MySelf  [: ' What's the problem ?'

| MCSE  Tech |: ' it cant access the internet but all the other machines can

]  MySelf  [: did you check the network settings , i.e, Default Gateway ,
DNS Entires , Subnets ect ect ???

| MCSE  Tech |: what do you think i am,  stupid ?

]  MySelf  [:  Not at all , (Yeah Right) i just have to make sure so i dont
have to come onsite for nothing...
anyway, well if you believe its all the same as the other machines and not
working ill come out within the Hour ...

40 Mins Later OnSite:   | MCSE  Tech |:  You must be the network technician
correct ?

]  MySelf  [:  Indeed i am, Please to meet you .. lets take alook at this
problem shall we ...

"I get straight on the Problem machine, go straight to Network Neighbour
Hood , Right Clicked -> Properties --> TCP/IP / LAN NDIS Device ..."

]  MySelf  [:  Why does this machine have its DNS set as the Gateway ?

| MCSE  Tech |: Because thats hows its ment to work ...

]  MySelf  [:  Well not unless your doing DNAT on that Basic Arse Router
for DNS Requests on Port: 53 too lets say like the ISP's DNS Servers (which
this router could not do)

| MCSE  Tech |:  Why didnt i think of that ... o well ...

]  MySelf  [:  Huh ??? (me all confused at this person's ability to use his
brain) no you stupid Microsoft Cisco Boy look at my certificate i can do
anyting ... it needs to be set on all machines to the ISP's DNS servers, as
we dont have any Internal DNS Servers ...

]  MySelf  [: Actually by the way, why isnt this machine set to Assign
Dynamic IP Address ??? becuase thats where it gets its Gateway / DNS info
from ?

| MCSE  Tech |: But you have to use Static IP's with this Router ... it wont
except Dynamic Address's

]  MySelf  [: Look go home , OMG , what do you know it actually works now ,
i wonder why ....

can yo belive that, what nerv of that guy ... Absoloute Windowz Tosser ....
LOL ... cyas

Re: SSH dnat

[Arnt Karlsen]

On Sun, 1 Dec 2002 15:52:02 +0100, 
"Ambor" <ambor@alternity.net> wrote in message 
<000801c29949$359d2a70$02a8a8c0@hades>:

> Hello everyone,
> 
> I'm trying to dnat SSH throught the firewall to an internal machine.
>  I use following Rule
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2323 -j DNAT
> --to-destination internal_IP:2323
> 
> eth0 is connected to internet
> 
> The problem is that the connection is allrght it just seems that I
> don't get an answer from the ssh server.(I'm getting a connection
> timeout, ot a connection refused)
> 
> To be sure I don't filter anything, so all trafic is accepted

..you and your internet ssh customers have ssh on port 2323 and not 22?

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

NAT + PSD

[Alexandre]

[-- Attachment #1: Type: text/plain, Size: 249 bytes --]

hi all
i install a new iptables version 1.27a to use a psd suport.
but my network stop a Nat service ...
when a go back a 1.26 version , the NAT work ok !
any people has a problems that iptables do not do a NAT with PSD ???
thanks a lot


Alexandre

[-- Attachment #2: Card for Alexandre --]
[-- Type: text/x-vcard, Size: 323 bytes --]

begin:vcard 
n:da Silva Augusto;Alexandre 
x-mozilla-html:FALSE
org:Secretaria de Estado dos Negocios da Fazenda;DTI - Departamento de Tecnologia da Informacao
adr:;;;;;;
version:2.1
email;internet:asaugusto@fazenda.sp.gov.br
title:Administrador de Sistemas Unix
x-mozilla-cpt:;3424
fn:Alexandre da Silva Augusto
end:vcard

Re: SSH dnat

[Andrew Magnus]

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2323 -j DNAT 
--to-destination internal_IP:2323

...also needs...

iptables -t nat -A POSTROUTING -s internal_IP -p tcp --sport 2323 -j SNAT 
--to-source external_IP:2323

Otherwise, you've only got traffic going one way:  into the ssh server.

If you're dealing with a dynamic IP address on your external interface, you 
should instead use:

iptables -t nat -A POSTROUTING -s internal_IP -o eth0 -p tcp --sport 2323 -j 
MASQUERADE

Hope that helps.



From: "Ambor" <ambor@alternity.net>
To: <netfilter@lists.netfilter.org>
Subject: SSH dnat
Date: Sun, 1 Dec 2002 15:52:02 +0100

Hello everyone,

I'm trying to dnat SSH throught the firewall to an internal machine.
  I use following Rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2323 -j DNAT 
--to-destination internal_IP:2323

eth0 is connected to internet

The problem is that the connection is allrght it just seems that I don't get 
an answer from the ssh server.
(I'm getting a connection timeout, ot a connection refused)

To be sure I don't filter anything, so all trafic is accepted

Can someone help me?

thx

Ronny


_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail