Thanks for the reply. I'm still not getting anywhere. I'm trying to forward
port 23 on my gateway to port 22 on my desktop. I'm trying to do this
internally first. Once I get this working, I'll switch so it forwards
external connections.
When I run this I get multiple s flags not allowed.
Now instead of connection refused, connection attempts just hang.
This is my current script:
IPTABLES="/sbin/iptables"
${IPTABLES} -A INPUT -i eth0 -j ACCEPT
${IPTABLES} -A FORWARD -p tcp -i eth0 --dport 23 -d 192.168.1.1 -j ACCEPT
${IPTABLES} -A FORWARD -p udp -i eth0 --dport 23 -d 192.168.1.1 -j ACCEPT
${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1 -p tcp
--destination-port 23 -j DNAT --to-destination 192.168.1.4:22
${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1 -p udp
--destination-port 23 -j DNAT --to-destination 192.168.1.4:22
${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p tcp -sport 22 -d
192.168.1.2 -j SNAT --to-source :23
${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p udp -sport 22 -d
192.168.1.2 -j SNAT --to-source :23
On Thursday 23 May 2002 07:30 am, Pierre Fortin wrote:
> On Thu, 23 May 2002 00:03:39 -0700 ajax <[EMAIL PROTECTED]> wrote:
> > I'm trying to forward port 23 to one of my internal computers. My
> > gateway has a cable connection on eth1 (dynamic ip) and internal network
> > on eth0 (static ip). I keep getting connection refused. I can ssh
> > directly to port 23 (I moved the port) on 192.168.1.4 internally but my
> > gateway doesn't want to forward it I'm using the following script which
> > I modified from the bastille website (its located at
> > /etc/Bastille/firewall.d/pre-audit.d/portforward.sh):
> >
> > IP_FORWARDS="eth1-0.0.0.0-23-tcp-192.168.1.4-23
> > eth1-0.0.0.0-23-udp-192.168.1.4-23 eth0-0.0.0.0-23-tcp-192.168.1.4-23
> > eth0-0.0.0.0-23-udp-192.168.1.4-23"
> > #
> > #
> >
> > for fw_rule in ${IP_FORWARDS} ; do
> > # ugly awk hack
> > fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
> > fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
> > fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
> > fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
> > fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
> > fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
> > if [ -n "${fw_iface}" ]; then
> > # we have an interface specified
> > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d $fw_inaddr \
> > -p tcp --destination-port $fw_inport -j DNAT --to
> > $fw_outaddr:$fw_outport
> >
> > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d $fw_inaddr \
> > -p udp --destination-port $fw_inport -j DNAT --to
> > $fw_outaddr:$fw_outport
> >
> >
> > else
> > # apply forward to all interfaces
> > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
> > -p tcp --destination-port $fw_inport -j DNAT --to
> > $fw_outaddr:$fw_outport
> >
> >
> > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
> > -p udp --destination-port $fw_inport -j DNAT --to
> > $fw_outaddr:$fw_outport
> >
> > fi
> > done
>
> A quick glance shows one major difference from what I use in my
> honeyport** script... Here's a clue:
>
> iptables -t nat -${ACTION} PREROUTING -s ${ATTACKER} -p tcp --dport \
> ${ATTACKER_PORT} -j DNAT --to-destination ${MY_IP}:${HONEYPORT}
> iptables -t nat -${ACTION} POSTROUTING -s ${MY_IP} -d ${ATTACKER} -p tcp \
> --sport ${HONEYPORT} -j SNAT --to-source :${ATTACKER_PORT}
>
> Note the use of POSTROUTING and SNAT for the other direction...
>
> ** honeyport redirects an attacker to a sticky tarpit server port
>
> HTH,
> Pierre
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
