Since I lost the preceding e-mails I'm guessing since your are wanting to forward ssh through your firewall to your desktop. Here's an article that might help... might not. Title SSH Port Forwarding. Written for a Usnix Conf in 2000. http://www.usenix.org/publications/library/proceedings/als2000/full_papers/orr/orr_html/
James On Mon, 27 May 2002 17:46:35 -0700 ajax <[EMAIL PROTECTED]> wrote: > Thanks for the reply. I'm still not getting anywhere. I'm trying to > forward port 23 on my gateway to port 22 on my desktop. I'm trying to > do this internally first. Once I get this working, I'll switch so it > forwards external connections. > When I run this I get multiple s flags not allowed. > Now instead of connection refused, connection attempts just hang. > This is my current script: > > > IPTABLES="/sbin/iptables" > > ${IPTABLES} -A INPUT -i eth0 -j ACCEPT > > > ${IPTABLES} -A FORWARD -p tcp -i eth0 --dport 23 -d 192.168.1.1 -j > ACCEPT${IPTABLES} -A FORWARD -p udp -i eth0 --dport 23 -d 192.168.1.1 > -j ACCEPT > > > ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1 > -p tcp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22 > ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1 > -p udp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22 > > > ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p tcp -sport 22 -d > 192.168.1.2 -j SNAT --to-source :23 > ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p udp -sport 22 -d > 192.168.1.2 -j SNAT --to-source :23 > > > > > On Thursday 23 May 2002 07:30 am, Pierre Fortin wrote: > > On Thu, 23 May 2002 00:03:39 -0700 ajax <[EMAIL PROTECTED]> wrote: > > > I'm trying to forward port 23 to one of my internal computers. My > > > gateway has a cable connection on eth1 (dynamic ip) and internal > > > network on eth0 (static ip). I keep getting connection refused. > > > I can ssh directly to port 23 (I moved the port) on 192.168.1.4 > > > internally but my gateway doesn't want to forward it I'm using > > > the following script which I modified from the bastille website > > > (its located > > > at/etc/Bastille/firewall.d/pre-audit.d/portforward.sh): > > > > > > IP_FORWARDS="eth1-0.0.0.0-23-tcp-192.168.1.4-23 > > > eth1-0.0.0.0-23-udp-192.168.1.4-23 > > > eth0-0.0.0.0-23-tcp-192.168.1.4-23 > > > eth0-0.0.0.0-23-udp-192.168.1.4-23"# > > > # > > > > > > for fw_rule in ${IP_FORWARDS} ; do > > > # ugly awk hack > > > fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'` > > > fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'` > > > fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'` > > > fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'` > > > fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'` > > > fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'` > > > if [ -n "${fw_iface}" ]; then > > > # we have an interface specified > > > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d > > > $fw_inaddr \ -p tcp --destination-port $fw_inport -j DNAT > > > --to$fw_outaddr:$fw_outport > > > > > > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d > > > $fw_inaddr \ -p udp --destination-port $fw_inport -j > > > DNAT --to$fw_outaddr:$fw_outport > > > > > > > > > else > > > # apply forward to all interfaces > > > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \ > > > -p tcp --destination-port $fw_inport -j DNAT --to > > > $fw_outaddr:$fw_outport > > > > > > > > > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \ > > > -p udp --destination-port $fw_inport -j DNAT --to > > > $fw_outaddr:$fw_outport > > > > > > fi > > > done > > > > A quick glance shows one major difference from what I use in my > > honeyport** script... Here's a clue: > > > > iptables -t nat -${ACTION} PREROUTING -s ${ATTACKER} -p tcp --dport > > \ ${ATTACKER_PORT} -j DNAT --to-destination ${MY_IP}:${HONEYPORT} > > iptables -t nat -${ACTION} POSTROUTING -s ${MY_IP} -d ${ATTACKER} -p > > tcp \ --sport ${HONEYPORT} -j SNAT --to-source :${ATTACKER_PORT} > > > > Note the use of POSTROUTING and SNAT for the other direction... > > > > ** honeyport redirects an attacker to a sticky tarpit server port > > > > HTH, > > Pierre > > >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com