home network gateway and accessing sshd from outside

hm2k · 08-25-2006, 09:02 AM

I have followed the guide located here: linuxselfhelp.com/HOWTO/mini/Home-Network-mini-HOWTO.html

I'm using CentOS4, and it doesn't appear to use ipchains, i'm using iptables instead.

I also had a look at this "home networking/gateway" guide: newbiedoc.sourceforge.net/networking/homegateway.html along with a few others.

You will notice that in section 10 of that guide it has a startup script, but that uses ipchains not iptables, I would like to beable to have a startup script that uses iptables.

Eventually (using 2 network cards) I have it working, and I can use the linux box as a gateway for my network machines.

My problem is that I wish to beable to do the following:

1, Access the server via ssh and ftp from the outside world.
2, Forward port 5900 (for vnc) on the external ip to a machine on the LAN.

I have tried to setup iptables to do it, but whenever I try and ssh I get: ssh: connect to host x.x.x.x port 22: Connection refused

What can I do to achieve the above?

Thanks.

btmiller · 08-26-2006, 02:50 PM

To get SSH working you need to both allow incoming requests with a destination port (dport) of 22 and outgoing requests from your box with source port (sport) of 22. Something like:

iptables -A INPUT -p tcp -d <your IP> --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 22 -j ACCEPT

This allows all incoming port 22 requests and related outgoing requests. You might want to filter incoming requests by IP address.

For forwarding VNC, you need to use DNAT, see this page for some details on how to do that.

hm2k · 08-27-2006, 07:29 AM

I ran:

Code:

iptables -A INPUT -p tcp -d $myip --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 22 -j ACCEPT

But now I seem to get:

ssh: connect to host $myip port 22: Operation timed out

This is the gateway script I run at startup:

Code:

/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# use this line if you have a static IP address from your ISP
# replace your static IP with x.x.x.x
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $myip

# use this line only if you have dynamic IP address from your ISP
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Is there any reason why it may not be working?

btmiller · 08-27-2006, 03:30 PM

Is eth0 your internal network interface and eth1 the external interface? Can you show the results of iptables -L so we can see the complete ruleset?

hm2k · 08-27-2006, 07:12 PM

That would be incorrect.

eth0 is my external, eth1 is my internal...

Code:

[root@lemon init.d]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:C0:DF:24:EF:1F
          inet addr:[removed-ip]  Bcast:[removed-ip]  Mask:255.255.255.248
          inet6 addr: fe80::2c0:dfff:fe24:ef1f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:510435 errors:0 dropped:0 overruns:0 frame:0
          TX packets:745038 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109359213 (104.2 MiB)  TX bytes:476156358 (454.0 MiB)
          Interrupt:11 Base address:0xc400

eth1      Link encap:Ethernet  HWaddr 00:C0:49:A7:11:84
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:49ff:fea7:1184/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:757080 errors:0 dropped:0 overruns:0 frame:0
          TX packets:518537 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:477492263 (455.3 MiB)  TX bytes:110618642 (105.4 MiB)
          Interrupt:10 Base address:0xc000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1242 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:131079 (128.0 KiB)  TX bytes:131079 (128.0 KiB)

Also see my route:

Code:

[root@lemon init.d]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
[removed-ip]  *               255.255.255.248 U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         [removed-ip]  0.0.0.0         UG    0      0        0 eth0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

FerkoPica · 08-28-2006, 03:35 PM

Hi, i've got similar problem: my IP is reachable from internet(web site shows) but name address not!(cannot connect) I have DNS on local network working ok, firewall is configured for allowed traffic for port 80 (i has used this iptables commands on this thread). Needs to be reconfigured DNS system or etc. Thanx and sorry for intermission.

hm2k · 08-29-2006, 09:14 AM

I have discovered that it could be something to do with my Netgear DG834G router, or my ISP which is eclipse.net.uk...

I discovered this by pointing an external IP (on my router) to a windows machine running windrop which listens on port 3333, I could not reach port 3333 from the outside world.

hm2k · 10-02-2006, 05:19 PM

I have fortunatly resolved this issue by downgrading to v2 of the firmware for my router.

Netgear are useless, so if you need help with a DG834G let me know.