(No subject header)

(No subject header)

[John Black]

I have a NAT question for everyone.  
 
At work i have a single static IP address that all of the
computers in the LAN uses for the outside world.  My
firewall is also acting as a dns server.  
 
Question 1: When i try to ssh in to a computer from the
outside world it follows the first rule.  But when i change
ssh to listen to a certain address and port it still
defaults to the first rule?
 
Question 2: if the DNS server was running on a server behind
the firewall would this help sloves this problem?
 
 
thanks
john

Re: (No subject header)

[Antony Stone]

On Wednesday 28 July 2004 5:01 pm, John Black wrote:

> At work i have a single static IP address that all of the
> computers in the LAN uses for the outside world.  My
> firewall is also acting as a dns server.

Okay, so you have one public IP address, and all your internal machines are 
masqueraded behind that one address for outbound connections; also your 
firewall runs DNS (although it's not clear whether you mean it runs caching 
DNS for internal clients, or also authoritative DNS for external queries 
about your domain).

> Question 1: When i try to ssh in to a computer from the
> outside world it follows the first rule.

What is "the first rule"?

> But when i change ssh to listen to a certain address and port it still
> defaults to the first rule?

What is the question here?

> Question 2: if the DNS server was running on a server behind
> the firewall would this help sloves this problem?

Don't know.   Tell us what the problem is (and what sort of DNS server you're 
running), and we might be able to think of the answer.

Posting your netfilter rules might help us understand what you're asking 
about, as well.

Regards,

Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (No subject header)

[John Black]

> Okay, so you have one public IP address, and all your internal machines
are
> masqueraded behind that one address for outbound connections; also your
> firewall runs DNS (although it's not clear whether you mean it runs
caching
> DNS for internal clients, or also authoritative DNS for external queries
> about your domain).

i have a caching dns sserver for the inside of the lan, but external queries
are
handled by the companies dns server

> What is "the first rule"?
iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 22 -j DNAT \
-- to 192.168.1.89:2222 (ares)

iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 22 -j DNAT \
-- to 192.168.1.90:22222 (zeus)

i asigned that workstation to listen to that port.

when i ssh into zeus from the outside world it says connecting to zeus, but
at the bash prompt it is ares

im running BIND 9 on red hat 9

thanks
john

RE: (No subject header)

[Jason Opperisano]

> iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 22 -j DNAT \
> -- to 192.168.1.89:2222 (ares)
>
> iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 22 -j DNAT \
> -- to 192.168.1.90:22222 (zeus)

If X.X.X.X in that first rule == X.X.X.X in that second rule--the second rule will never be matched.

You're giving netfilter 3 pieces of information to use to decide whether you have a match:

Protocol = TCP
Dest IP = X.X.X.X
Dest Port = 22

Given those conditions, how will it skip the first rule and make it to the second?

I would reverse your theory.  Let the hosts on the inside listen on the standard SSH port (TCP 22), and use different ports on the external side:

iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 2222 -j DNAT \
 --to 192.168.1.89:22 (ares)

iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 2223 -j DNAT \
 --to 192.168.1.90:22 (zeus)

And then use:	ssh -p 2222 X.X.X.X to connect to ares
And:			ssh -p 2223 X.X.X.X to connect to zeus

-j

Re: (No subject header)

[John Black]

yes X.X.X.X = my static ip address

>If X.X.X.X in that first rule == X.X.X.X in that second rule--the second
rule will never be matched.

ill give it a try


thanks
john

(No subject header)

[John Black]

 
I'm trying to setup a connection to port 3389 on a windows
2003 server.

my server 80.1.1.1

public ip address for windows server110.20.30.15

private ip address for windows server 192.168.0.15


is this right:
iptbles -t nat -A PREROUTING -d 80.1.1.1 -p tcp \
--dport 3389   -j DNAT --to 110.20.30.15:2289
iptbles -t nat -A PREROUTING -d 110.20.30.15 -p tcp\
--dport 3389   -j DNAT --to 192.168.0.15:2289

 

Re: (No subject header)

[John Black]

> You also need forward statment
> 
> iptables -A FORWARD -d 110.20.30.15 -p tcp --dport 2289 -j
> ACCEPT
would my server need to be in that forwarding statement?
iptables -A FORWARD -d 80.1.1.1 -p tcp --dport 3389 -j
ACCEPT

because i want to allow only this address 80.1.1.1 access to
this port.

> also in case it matters to you, you misspelled iptables
> below.
it was just a typeo

Re: (No subject header)

[Brent Clark]

John Black wrote:
>  
> I'm trying to setup a connection to port 3389 on a windows
> 2003 server.
> 
> my server 80.1.1.1
> 
> public ip address for windows server110.20.30.15
> 
> private ip address for windows server 192.168.0.15
> 
> 
> is this right:
> iptbles -t nat -A PREROUTING -d 80.1.1.1 -p tcp \
> --dport 3389   -j DNAT --to 110.20.30.15:2289
> iptbles -t nat -A PREROUTING -d 110.20.30.15 -p tcp\
> --dport 3389   -j DNAT --to 192.168.0.15:2289

Hi

This is my ruleset

Hope it helps

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp -s 1.2.3.4 --dport 3389 -j DNAT 
--to 192.168.111.124:3389
$IPT -t filter -A FORWARD -i eth0 -p tcp -s 1.2.3.4 --dport 3389 -d 
192.168.111.124 -j ACCEPT

Kind Regards
Brent Clark