Re: simple, but not for me

Sun, 30 Jun 2002 09:33:14 -0700 


[EMAIL PROTECTED] wrote:

[snip]

 > This is what you need to port forward (assuming standard ports):
 >
 > #Forward web services to internal host iptables -t nat -A PREROUTING
 > -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80
 >
 > #Forward ssh to internal host iptables -t nat -A PREROUTING -p tcp -d
 > $extip --dport 22 -j DNAT--to 192.168.0.8:22
 >
 > #Forward mysql to internal host iptables -t nat -A PREROUTING -p tcp
 > -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306
 >
 > Remember to shut off the above services on your firewall box.

This last has me curious.  If I shut off ssh (port 22) on the firewall, 
then I can't get into it to work on it (it's headless and far far away 
from a chair -- and just now what seems more important, a fan).

Right now, ssh into the firewall box from the ext_if goes straight to 
one of the internal machines (but only allowed from one other trusted 
machine, 1.2.3.4 in the e.g.), but an ssh request from the internal 
network (into the int_if) stays on the firewall box.

Sort of looks like this:

All chains are flushed and set to default DROP

The nat chain rules are

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 1.2.3.4 \
   -d my.static.ip.address -p tcp --dport 22 -j DNAT \
   --to 192.168.1.2

$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s 192.168.1.2 \
   -p tcp --sport 22 -j SNAT --to my.static.ip.address

The FORWARD chain rule allows port 22 (originating from trusted machine) 
from the firewall to the internal box and then drops the rest

$IPTABLES -A FORWARD -s 1.2.3.4 -d 192.168.1.2 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j DROP

And then an INPUT rule to allow getting into the box from the internal 
network

$IPTABLES -A INPUT -s $INT_NET -i INT_IF -j ACCEPT

but disallows spoofing from the outside

$IPTABLES -A INPUT -s INT_NET -i EXT_IF -j DROP

This seems to work.  If anyone sees anything stupid here, let me know. 
I hate being stupid.

Thanks.

m



-- 
Marc Carter
Assistant Professor, Itinerant Scientist,
         Inveterate Skeptic, Former Surfer.
---
"You can't have a market system that really depends
on everybody behaving as saints."
------
Ken Rose, OSU's National Regulatory Research Institute

























					Reply via email to