Since I lost the preceding e-mails I'm guessing since your are wanting
to forward ssh through your firewall to your desktop. Here's an article
that might help... might not. Title SSH Port Forwarding. Written for a
Usnix Conf in 2000.
http://www.usenix.org/publications/library/proceedings/als2000/full_papers/orr/orr_html/
James
On Mon, 27 May 2002 17:46:35 -0700
ajax <[EMAIL PROTECTED]> wrote:
> Thanks for the reply. I'm still not getting anywhere. I'm trying to
> forward port 23 on my gateway to port 22 on my desktop. I'm trying to
> do this internally first. Once I get this working, I'll switch so it
> forwards external connections.
> When I run this I get multiple s flags not allowed.
> Now instead of connection refused, connection attempts just hang.
> This is my current script:
>
>
> IPTABLES="/sbin/iptables"
>
> ${IPTABLES} -A INPUT -i eth0 -j ACCEPT
>
>
> ${IPTABLES} -A FORWARD -p tcp -i eth0 --dport 23 -d 192.168.1.1 -j
> ACCEPT${IPTABLES} -A FORWARD -p udp -i eth0 --dport 23 -d 192.168.1.1
> -j ACCEPT
>
>
> ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1
> -p tcp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22
> ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1
> -p udp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22
>
>
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p tcp -sport 22 -d
> 192.168.1.2 -j SNAT --to-source :23
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p udp -sport 22 -d
> 192.168.1.2 -j SNAT --to-source :23
>
>
>
>
> On Thursday 23 May 2002 07:30 am, Pierre Fortin wrote:
> > On Thu, 23 May 2002 00:03:39 -0700 ajax <[EMAIL PROTECTED]> wrote:
> > > I'm trying to forward port 23 to one of my internal computers. My
> > > gateway has a cable connection on eth1 (dynamic ip) and internal
> > > network on eth0 (static ip). I keep getting connection refused.
> > > I can ssh directly to port 23 (I moved the port) on 192.168.1.4
> > > internally but my gateway doesn't want to forward it I'm using
> > > the following script which I modified from the bastille website
> > > (its located
> > > at/etc/Bastille/firewall.d/pre-audit.d/portforward.sh):
> > >
> > > IP_FORWARDS="eth1-0.0.0.0-23-tcp-192.168.1.4-23
> > > eth1-0.0.0.0-23-udp-192.168.1.4-23
> > > eth0-0.0.0.0-23-tcp-192.168.1.4-23
> > > eth0-0.0.0.0-23-udp-192.168.1.4-23"#
> > > #
> > >
> > > for fw_rule in ${IP_FORWARDS} ; do
> > > # ugly awk hack
> > > fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
> > > fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
> > > fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
> > > fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
> > > fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
> > > fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
> > > if [ -n "${fw_iface}" ]; then
> > > # we have an interface specified
> > > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d
> > > $fw_inaddr \ -p tcp --destination-port $fw_inport -j DNAT
> > > --to$fw_outaddr:$fw_outport
> > >
> > > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d
> > > $fw_inaddr \ -p udp --destination-port $fw_inport -j
> > > DNAT --to$fw_outaddr:$fw_outport
> > >
> > >
> > > else
> > > # apply forward to all interfaces
> > > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
> > > -p tcp --destination-port $fw_inport -j DNAT --to
> > > $fw_outaddr:$fw_outport
> > >
> > >
> > > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
> > > -p udp --destination-port $fw_inport -j DNAT --to
> > > $fw_outaddr:$fw_outport
> > >
> > > fi
> > > done
> >
> > A quick glance shows one major difference from what I use in my
> > honeyport** script... Here's a clue:
> >
> > iptables -t nat -${ACTION} PREROUTING -s ${ATTACKER} -p tcp --dport
> > \ ${ATTACKER_PORT} -j DNAT --to-destination ${MY_IP}:${HONEYPORT}
> > iptables -t nat -${ACTION} POSTROUTING -s ${MY_IP} -d ${ATTACKER} -p
> > tcp \ --sport ${HONEYPORT} -j SNAT --to-source :${ATTACKER_PORT}
> >
> > Note the use of POSTROUTING and SNAT for the other direction...
> >
> > ** honeyport redirects an attacker to a sticky tarpit server port
> >
> > HTH,
> > Pierre
>
>
>
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
