On Tue, May 28, 2002 at 04:26:35PM -0400, George Georgalis wrote: > No, I want the LAN and Internet connections to :50422 to NAT to > 192.168.0.1:22 but this command from the LAN hangs... > ssh -p50422 [EMAIL PROTECTED] > and there is no connection recorded in the 192.168.0.1 log. I'm > at a loss. Here's the present script:
Ah, OK. Have you read this yet? http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html Ramin > > > LANIF=eth0 > EXTIF=eth1 > TCP_OPEN="22,25,53,80,113,50422" > UDP_OPEN="22,53" > > iptables -P INPUT DROP > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport --dport >$TCP_OPEN -j ACCEPT > iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -m multiport --dport >$UDP_OPEN -j ACCEPT > iptables -A INPUT -i $LANIF -m state --state NEW -j ACCEPT > iptables -A INPUT -i lo -m state --state NEW -j ACCEPT > iptables -A INPUT -j LOG --log-prefix "INPUT-DROP " > iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable > > iptables -P FORWARD DROP > iptables -A FORWARD -i $LANIF -o $EXTIF -j ACCEPT > iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $EXTIF -m state --state RELATED -j ACCEPT > iptables -A FORWARD -i $EXTIF -o $LANIF -p tcp --dport 22 -m state --state >NEW,RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i $LANIF -o $LANIF -p tcp --dport 22 -m state --state >NEW,RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -j LOG --log-prefix "FORWARD-DROP " > > iptables -t nat -A PREROUTING -p tcp --dport 50422 -j DNAT --to-destination >192.168.0.1:22 > iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > iptables -P OUTPUT ACCEPT > > > > Thanks for your help! > > // George > > -- > GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229 > Security Services, Web, Mail, mailto:[EMAIL PROTECTED] > File, Print, DB and DNS Servers. http://www.galis.org/george
