Re: ssh connecting to wrong machine....

Sun, 02 Jun 2002 19:46:15 -0700 

I tried adding this to the nat but it didn't fix it...

iptables -t nat -A POSTROUTING -p tcp -s $LAN_host04 -j SNAT --to-source $EXT_host04

:-\

Is my masq getting in the way? What's the best way to fix?


# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 815K packets, 38M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  any    any     $EXT_host04        anywhere           
to:$LAN_host04
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere           
tcp dpt:50422 to:$LAN_host04:22

Chain POSTROUTING (policy ACCEPT 5896 packets, 363K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    any     us04                 anywhere           
to:$EXT_host04
    0     0 MASQUERADE  all  --  any    eth1    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 58945 packets, 3850K bytes)
 pkts bytes target     prot opt in     out     source               destination


Thanks,
// George


On Sun, Jun 02, 2002 at 07:21:57PM -0400, George Georgalis wrote:
>On a 2 interface firewall, I've set up an alias eth1:1 ($EXT_host04) to
>an IP on our T-1, then added a nat which should connect ports $TCP_OPEN
>and $UDP_OPEN to the internal IP ($LAN_host04).
>
>But when I go to ssh $EXT_host04 from the internet I end up talking to
>the firewall sshd, not the sshd on $LAN_host04. Why is that? Here are my
>rules:
>
>LANIF=eth0
>EXTIF=eth1
>TCP_OPEN="22,25,53,80"
>UDP_OPEN="22,53"
>
>iptables -A INPUT -m state --state ESTABLISHED,RELATED \
>-j ACCEPT
>
>iptables -A INPUT -i $EXTIF -m state --state NEW \
>-p tcp -m multiport --dport $TCP_OPEN -j ACCEPT
>
>iptables -A INPUT -i $EXTIF -m state --state NEW \
>-p udp -m multiport --dport $UDP_OPEN -j ACCEPT
>
>
>iptables -A FORWARD -i $EXTIF -o $LANIF -p tcp \
>-m multiport --dport $TCP_OPEN \
>-m state --state NEW,RELATED,ESTABLISHED \
>-j ACCEPT
>
>iptables -A FORWARD -i $EXTIF -o $LANIF -p udp \
>-m multiport --dport $UDP_OPEN \
>-m state --state NEW,RELATED,ESTABLISHED \
>-j ACCEPT
>
>
>iptables -t nat -A PREROUTING -p tcp \
>-s $EXT_host04 \
>-j DNAT --to-destination $LAN_host04
>
>iptables -t nat -A POSTROUTING -o $EXTIF \
>-j MASQUERADE
>
>
>Thanks,
>// George
>
>-- 
>GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
>Security Services, Web, Mail,            mailto:[EMAIL PROTECTED] 
>File, Print, DB and DNS Servers.       http://www.galis.org/george 
>

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.       http://www.galis.org/george

Reply via email to