/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Per Kauffeldt wrote:
> Hi! I'm trying to forward incoming ssh connection to my local interface
> on my firewall. (I have a dynamic ip on my internet iface so it isn't
> that funny to reconfigure ssh every time i get a new IP) But I can't get
> the portforwarding to work :( I've the following configuration:
>
>
> Local Net Firewall Internet
> 192.168.0.0/24---------eth0: 192.168.0.1
> eth1: dynIP (dhcp)--------->
>
> My firewall is a PII 266 running Debian2.2, kernel 2.2.17.
> (ssh is listening to 192.168.0.1 port 22)
>
> My ipchains settings are:
>
> ipchains -P forward DENY
> ipchains -A forward -s 192.168.0.1 -j MASQ
> ipchains -A forward -s 192.168.0.2 -j MASQ (It's only three hosts that
> ipchains -A forward -s 192.168.0.3 -j MASQ are allowed to access internet)
get rid of the first of these. no packets originating on your firewall
host destined for the outside world will have 192.168.0.1 as a source
address. they will have the dynamic ip address as their source and so
they don't need to be masqueraded (this is the masquerading host, after
all). this may even be the cause of the demasq recusrion problem you
mention below but i'm not sure about that.
> ipchains -A input -p tcp -y -i eth1 -d dynIP ssh -m 1
>
> ipmasqadm mfw -A -m 1 -r 192.168.0.1 ssh
>
>
> When i try to connect to dynIP:22 from the outside I got the following
> message in my syslog:
>
> Dec 13 03:04:57 wopr kernel: ip_input(): demasq recursion detected. Check
> masq modules configuration
>
> What does it mean? Can anyone tell me what's wrong in my configuration?
>
> Best Regards Per Kauffeldt
note: i think that what you are trying to do is very strange:
host receives a packet for itself, forwards it to the internal
lan, receives it again and finally processes it. this will slow
things down and i wouldn't be surprised if it didn't work at all
(although it probably will, of course) :)
also: even though you are portforwarding the packets to a stable ip
address, it's not a real ip address and it's reply packets will be
masqueraded to the dynamic ip address. your ssh client will still have
to connect to a changing ip address so it won't recognise it as a known
host and it'll probably still ask you whether or not you really want to
connect even if you do get the portforwarding to work.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
