At 12:53 PM 1/4/2005 -0500, chuck gelm wrote:
Howdy, Y'all:
My brother and I are on separate networks (I am in Ohio and he is in Oklamoma, ~1600 miles apart). I am trying to allow my brother to 'ssh' with a host inside my LAN. On my router I am NAT'ing only port 22; via IPTABLES thusly:
# forward ssh (22) to 'server'
/usr/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.0.84
/usr/sbin/iptables -t nat -A PREROUTING -i eth1 -p udp --dport 22 -j DNAT --to 192.168.0.84
I can 'ssh' into my brother's host inside his LAN, but he is NAT'ing ports 20 through 23 (ftp, ssh, & telnet). Does 'ssh' also use ports 20,21, and/or 23 ?
No. 20 and 21 are ftp. 23 is telnet. ssh uses none of them.
Do I need to NAT more ports?
No.
But you *do* (probably; actually, it depends on the rest of the ruleset) need to add an entry to the FORWARD table, one something like this:
iptables -A FORWARD -i eth1 -p tcp --dport 22 -j ACCEPT
(I infer from your DNAT rule that eth1 is your external interface.) You *probably* have a FORWARD-table rule or policy blocking all originating connections from the outside, and this rule needs to precede that one so port 22 will be an exception to it.
Were I you, I would consider modifying this rule so it only ACCEPTed ssh traffic originating from your brother's source IP address ... but you need to make your own security decisions, so I offer that only as a suggestion.
Here is my brother's portion of IPTABLES, which works remotely for me:
# forward ftp,ssh,telnet
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20:23 -j DNAT --to 192.168.0.48
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 20:23 -j DNAT --to 192.168.0.48
'man ssh' did not indicate any port numbers.
I can 'ssh' with my host via eth0, so 'ssh' is working on the intended host. Regards, Chuck
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004
- To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs