Darcy Brodie, CJL wrote:
----------------->>>>
I just installed Mandrake 8.1 kernel 2.4.8 on a new firewall
(Pentium 133). I have been able to get the firewall (iptables) working,
and the freeswan connections (3 incoming ipsec connections) all working.
However, I have followed several different examples and information
that I have been able to find regarding DNAT. I need to be able to
allow access from 3 external locations to a computer behind the
firewall (192.168.1.2) via ssh, as well as ssh access into the firewall
for remote maintenance ( I know that I wiull have to use 2 incoming
ports for this, and I was thinking of using port 2222 to be forwarded to
192.168.1.2:22, and incoming port 22 for normal ssh access to the
firewall. I do not want world access to anything behind the firewall
Here are the rules that I have in my firewall for the dnat
$IPTABLES=/sbin/iptables
$EXTIF="eth0"
$INTIF="eth1"
$IPTABLES -t nat -AA PREROUTING -p tcp --dport 2222 -s a.b.c.d -J DNAT
--to 192.168.1.2:22
$IPTABLES -A FORWARD -s a.b.c.d -o $INTIIF -p tcp --dport 22 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
(note
a.b.c.d will be authorized locations in the internet for access to
192.168.1.2:22)
w.x.y.z is the internet ip address of this firewall)
With this configuration, when I ssh to w.x.y.z -p 2222 I get the
following on the 192.168.1.2 (this is the ouput from tcpdump -i eth0 on
192.168.1.2)
17:27:07.362714 a.b.c.d.62928 > 192.168.1.2.ssh: S
4248963541:4248963541(0) win 5840 <mss 1460,sackOK,timestamp 1989124
0,nop,wscale 0> (DF) [tos 0x10]
I was running tcpdump on eth0 of the a.b.c.d computer, and on eth1 of
the firewall at the same time, and I never saw any response from
192.168.1.2 coming back.
I have confirmed that I can ssh from the firewall to the 192.168.1.2
computer, and the ip's of the firewall and a.b.c.d computers are in the
hosts and hosts.allow files
----------------->>>>
Hmm... just a quick one... the gateway of 192.168.1.2 is set to the DNATing
System right?
