From: Marc Carter <marccarter@speakeasy.net>
To: netfilter@lists.samba.org
Subject: Re: simple, but not for me
Date: Sun, 30 Jun 2002 12:48:37 -0400 [thread overview]
Message-ID: <3D1F3665.3020204@speakeasy.net> (raw)
In-Reply-To: 20020630132725.896984212@lists.samba.org
netfilter-request@lists.samba.org wrote:
[snip]
> This is what you need to port forward (assuming standard ports):
>
> #Forward web services to internal host iptables -t nat -A PREROUTING
> -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80
>
> #Forward ssh to internal host iptables -t nat -A PREROUTING -p tcp -d
> $extip --dport 22 -j DNAT--to 192.168.0.8:22
>
> #Forward mysql to internal host iptables -t nat -A PREROUTING -p tcp
> -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306
>
> Remember to shut off the above services on your firewall box.
This last has me curious. If I shut off ssh (port 22) on the firewall,
then I can't get into it to work on it (it's headless and far far away
from a chair -- and just now what seems more important, a fan).
Right now, ssh into the firewall box from the ext_if goes straight to
one of the internal machines (but only allowed from one other trusted
machine, 1.2.3.4 in the e.g.), but an ssh request from the internal
network (into the int_if) stays on the firewall box.
Sort of looks like this:
All chains are flushed and set to default DROP
The nat chain rules are
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 1.2.3.4 \
-d my.static.ip.address -p tcp --dport 22 -j DNAT \
--to 192.168.1.2
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s 192.168.1.2 \
-p tcp --sport 22 -j SNAT --to my.static.ip.address
The FORWARD chain rule allows port 22 (originating from trusted machine)
from the firewall to the internal box and then drops the rest
$IPTABLES -A FORWARD -s 1.2.3.4 -d 192.168.1.2 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j DROP
And then an INPUT rule to allow getting into the box from the internal
network
$IPTABLES -A INPUT -s $INT_NET -i INT_IF -j ACCEPT
but disallows spoofing from the outside
$IPTABLES -A INPUT -s INT_NET -i EXT_IF -j DROP
This seems to work. If anyone sees anything stupid here, let me know.
I hate being stupid.
Thanks.
m
--
Marc Carter
Assistant Professor, Itinerant Scientist,
Inveterate Skeptic, Former Surfer.
---
"You can't have a market system that really depends
on everybody behaving as saints."
------
Ken Rose, OSU's National Regulatory Research Institute
next parent reply other threads:[~2002-06-30 16:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020630132725.896984212@lists.samba.org>
2002-06-30 16:48 ` Marc Carter [this message]
2002-06-30 19:35 simple, but not for me j davis
[not found] <20020630053506.43C3143FD@lists.samba.org>
2002-06-30 5:54 ` outspoken
2002-06-30 8:04 ` Jack Bowling
-- strict thread matches above, loose matches on Subject: below --
2002-06-30 4:04 outspoken
2002-06-30 5:25 ` Jack Bowling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D1F3665.3020204@speakeasy.net \
--to=marccarter@speakeasy.net \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox