ssh connection is not allowed in NAT, SUSE 9.2

ssh connection is not allowed in NAT, SUSE 9.2

[Fatih TURKMEN]

Hi everybody,
I am trying to create small NAT network on SUSE 9.2
computers.I don't know what is missing in my iptables
policy but I have added three rules for SNAT:

1) iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
2) iptables -A FORWARD -i eth0 -o eth1 -m state
--state RELATEd,ESTABLISHED -j ACCEPT
3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

I stopped firewalls on local computers, and installed
ssh server/client on all computers.I can ssh to local
machines from locals.But I can't ssh to nat
server.Also I can only ping one computer from NAT
Server.
When I try to ssh to local clients from NAT server I
got either  "No route to host" or "Connection refused"
although I stopped firewalls on locals and set the NAT
server as the default gateway for local clients.

Any ideas? What is missing?

Thanks in advance.

Fatih TURKMEN

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: ssh connection is not allowed in NAT, SUSE 9.2

[Jörg Harmuth]

Fatih TURKMEN schrieb:
> Hi everybody,
> I am trying to create small NAT network on SUSE 9.2
> computers.I don't know what is missing in my iptables
> policy but I have added three rules for SNAT:
> 
> 1) iptables -t nat -A POSTROUTING -o eth0 -j
> MASQUERADE
> 2) iptables -A FORWARD -i eth0 -o eth1 -m state
> --state RELATEd,ESTABLISHED -j ACCEPT
> 3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> 
> I stopped firewalls on local computers, and installed
> ssh server/client on all computers.I can ssh to local
> machines from locals.But I can't ssh to nat
> server.Also I can only ping one computer from NAT
> Server.
> When I try to ssh to local clients from NAT server I
> got either  "No route to host" or "Connection refused"
> although I stopped firewalls on locals and set the NAT
> server as the default gateway for local clients.

Would you mind to provide the full ruleset of your nat box ? Preferably
the output of iptables-save ? A description of your network layout could
be helpfull too (networks, NICs,...). As there is "No route to host" the
routing table could give some enlightment. There are at least two
interfaces, so - is ip-forwarding enabled ? What does

netstat -tulpn | grep ':22'

give on the respective boxes ? When trying to connect via SSH to no
avail, what does

tcpdump -ni <respective_inerface>

give (try reducing other traffic) ? Questions over questions :)

Have a nice time,

Joerg

Re: ssh connection is not allowed in NAT, SUSE 9.2

[R. DuFresne]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2256 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



and tpcd is not getting in the way, correct?

Thanks,

Ron DuFresne


On Tue, 19 Jul 2005, Jörg Harmuth wrote:

> Fatih TURKMEN schrieb:
>> Hi everybody,
>> I am trying to create small NAT network on SUSE 9.2
>> computers.I don't know what is missing in my iptables
>> policy but I have added three rules for SNAT:
>>
>> 1) iptables -t nat -A POSTROUTING -o eth0 -j
>> MASQUERADE
>> 2) iptables -A FORWARD -i eth0 -o eth1 -m state
>> --state RELATEd,ESTABLISHED -j ACCEPT
>> 3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>>
>> I stopped firewalls on local computers, and installed
>> ssh server/client on all computers.I can ssh to local
>> machines from locals.But I can't ssh to nat
>> server.Also I can only ping one computer from NAT
>> Server.
>> When I try to ssh to local clients from NAT server I
>> got either  "No route to host" or "Connection refused"
>> although I stopped firewalls on locals and set the NAT
>> server as the default gateway for local clients.
>
> Would you mind to provide the full ruleset of your nat box ? Preferably
> the output of iptables-save ? A description of your network layout could
> be helpfull too (networks, NICs,...). As there is "No route to host" the
> routing table could give some enlightment. There are at least two
> interfaces, so - is ip-forwarding enabled ? What does
>
> netstat -tulpn | grep ':22'
>
> give on the respective boxes ? When trying to connect via SSH to no
> avail, what does
>
> tcpdump -ni <respective_inerface>
>
> give (try reducing other traffic) ? Questions over questions :)
>
> Have a nice time,
>
> Joerg
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC3RVcst+vzJSwZikRAvjjAKCka178a2ROn/HBqff4RVj5PwjSNACdFsGj
zdr88jWe/HMxzivNy5u/UfA=
=nMTJ
-----END PGP SIGNATURE-----

Re: ssh connection is not allowed in NAT, SUSE 9.2

[Fatih TURKMEN]

Thank you guys for your replies. I got the problem. It
was because of the second network interface. Somehow
second NIC is not working (functioning) and when I try
to up it, it  stays down.
Now the question is what can be happening with second
NIC?

Thanks in advance.

Fatih TURKMEN
 
--- Jörg Harmuth <harmuth@mnemon.de> wrote:

> Fatih TURKMEN schrieb:
> > Hi everybody,
> > I am trying to create small NAT network on SUSE
> 9.2
> > computers.I don't know what is missing in my
> iptables
> > policy but I have added three rules for SNAT:
> > 
> > 1) iptables -t nat -A POSTROUTING -o eth0 -j
> > MASQUERADE
> > 2) iptables -A FORWARD -i eth0 -o eth1 -m state
> > --state RELATEd,ESTABLISHED -j ACCEPT
> > 3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> > 
> > I stopped firewalls on local computers, and
> installed
> > ssh server/client on all computers.I can ssh to
> local
> > machines from locals.But I can't ssh to nat
> > server.Also I can only ping one computer from NAT
> > Server.
> > When I try to ssh to local clients from NAT server
> I
> > got either  "No route to host" or "Connection
> refused"
> > although I stopped firewalls on locals and set the
> NAT
> > server as the default gateway for local clients.
> 
> Would you mind to provide the full ruleset of your
> nat box ? Preferably
> the output of iptables-save ? A description of your
> network layout could
> be helpfull too (networks, NICs,...). As there is
> "No route to host" the
> routing table could give some enlightment. There are
> at least two
> interfaces, so - is ip-forwarding enabled ? What
> does
> 
> netstat -tulpn | grep ':22'
> 
> give on the respective boxes ? When trying to
> connect via SSH to no
> avail, what does
> 
> tcpdump -ni <respective_inerface>
> 
> give (try reducing other traffic) ? Questions over
> questions :)
> 
> Have a nice time,
> 
> Joerg
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com