Re: [expert] port forwarding: what am I doing wrong?

Mon, 27 May 2002 21:47:28 -0700 

Since I lost the preceding e-mails I'm guessing since your are wanting
to forward ssh through your firewall to your desktop.  Here's an article
that might help... might not. Title SSH Port Forwarding.  Written for a
Usnix Conf in 2000.
http://www.usenix.org/publications/library/proceedings/als2000/full_papers/orr/orr_html/

James



On Mon, 27 May 2002 17:46:35 -0700
ajax <[EMAIL PROTECTED]> wrote:

> Thanks for the reply.  I'm still not getting anywhere.  I'm trying to
> forward port 23 on my gateway to port 22 on my desktop.  I'm trying to
> do this internally first.  Once I get this working, I'll switch so it
> forwards external connections.
> When I run this I get multiple s flags not allowed.
> Now instead of connection refused, connection attempts just hang.
> This is my current script:
> 
> 
> IPTABLES="/sbin/iptables"
> 
> ${IPTABLES} -A INPUT -i eth0 -j ACCEPT
> 
> 
> ${IPTABLES} -A FORWARD -p tcp -i eth0 --dport 23 -d 192.168.1.1 -j
> ACCEPT${IPTABLES} -A FORWARD -p udp -i eth0 --dport 23 -d 192.168.1.1
> -j ACCEPT
> 
> 
> ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1
> -p tcp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22
> ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1
> -p udp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22
> 
>       
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p tcp -sport 22 -d 
> 192.168.1.2 -j SNAT --to-source :23 
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p udp -sport 22 -d 
> 192.168.1.2 -j SNAT --to-source :23 
>    
>     
>     
> 
> On Thursday 23 May 2002 07:30 am, Pierre Fortin wrote:
> > On Thu, 23 May 2002 00:03:39 -0700 ajax <[EMAIL PROTECTED]> wrote:
> > > I'm trying to forward port 23 to one of my internal computers.  My
> > > gateway has a cable connection on eth1 (dynamic ip) and internal
> > > network on eth0 (static ip).  I keep getting connection refused. 
> > > I can ssh directly to port 23 (I moved the port) on 192.168.1.4
> > > internally but my gateway doesn't want to forward it  I'm using
> > > the following script which I modified from the bastille website
> > > (its located
> > > at/etc/Bastille/firewall.d/pre-audit.d/portforward.sh):
> > >
> > > IP_FORWARDS="eth1-0.0.0.0-23-tcp-192.168.1.4-23
> > > eth1-0.0.0.0-23-udp-192.168.1.4-23
> > > eth0-0.0.0.0-23-tcp-192.168.1.4-23
> > > eth0-0.0.0.0-23-udp-192.168.1.4-23"#
> > > #
> > >
> > >   for fw_rule in ${IP_FORWARDS} ; do
> > >     # ugly awk hack
> > >     fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
> > >     fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
> > >     fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
> > >     fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
> > >     fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
> > >     fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
> > >     if [ -n "${fw_iface}" ]; then
> > >       # we have an interface specified
> > >         ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d
> > >         $fw_inaddr \  -p tcp --destination-port $fw_inport -j DNAT
> > >         --to$fw_outaddr:$fw_outport
> > >
> > >         ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d
> > >         $fw_inaddr \   -p udp --destination-port $fw_inport -j
> > >         DNAT --to$fw_outaddr:$fw_outport
> > >
> > >
> > >     else
> > >       # apply forward to all interfaces
> > >         ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
> > >           -p tcp --destination-port $fw_inport -j DNAT --to
> > > $fw_outaddr:$fw_outport
> > >
> > >
> > >            ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
> > >              -p udp --destination-port $fw_inport -j DNAT --to
> > > $fw_outaddr:$fw_outport
> > >
> > >     fi
> > >   done
> >
> > A quick glance shows one major difference from what I use in my
> > honeyport** script...  Here's a clue:
> >
> > iptables -t nat -${ACTION} PREROUTING -s ${ATTACKER} -p tcp --dport
> > \  ${ATTACKER_PORT} -j DNAT --to-destination ${MY_IP}:${HONEYPORT}
> > iptables -t nat -${ACTION} POSTROUTING -s ${MY_IP} -d ${ATTACKER} -p
> > tcp \  --sport ${HONEYPORT} -j SNAT --to-source :${ATTACKER_PORT}
> >
> > Note the use of POSTROUTING and SNAT for the other direction...
> >
> > ** honeyport redirects an attacker to a sticky tarpit server port
> >
> > HTH,
> > Pierre
> 
> 
> 


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to