iptables forwarding ssh throw firewall

telsch · 12-13-2011, 11:23 AM

hey there,

i have a problem to find out the right configuration for iptables to forward ssh throw my firewall on a other server in local net. this server use a other gw, think thats my problem. if the firewall is my gateway no problem.

here my iptable rules, that work, if my gateway is the firewall.

Code:

iptables -A INPUT -p tcp --dport ssh -i ${WAN} -j ACCEPT

iptables -A FORWARD -p tcp -i ${WAN} -o ${LAN} --dport ssh -d ${DSERVER} -j ACCEPT
iptables -A FORWARD -p tcp -i ${LAN} -o ${WAN} --sport ssh -s ${DSERVER} -j ACCEPT
iptables -t nat -A PREROUTING --dst ${WANIP} -p tcp --dport ssh -j DNAT --to-destination ${DSERVER}
iptables -t nat -A POSTROUTING -d \! ${LOCALNET} -j SNAT --to ${WANIP}

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

goossen · 12-13-2011, 05:49 PM

As far as I know, the firewall must be set as your gateway to use that configuration.

telsch · 12-14-2011, 03:56 AM

yes i know

is it possible to say on the machine with the sshd to say if come packages from outside the lan, send them back to the firewall and dont use the gateway ??

goossen · 12-14-2011, 05:23 AM

You can use a combination of iptables mangle table and ip route to mark the packets and route them according to the mark. Read on:

(Second example)

http://www.linuxhorizon.ro/iproute2.html

telsch · 12-15-2011, 09:02 AM

At moment we use this ip tables config, but on the sshd we recieve the firewall ip.

Code:

iptables -t mangle -A PREROUTING -d $WAN_IP tcp --dport ssh
iptables -t nat -A PREROUTING -j DNAT --to-destination $SSH_SERVER
iptables -t nat -A POSTROUTING -j SNAT --to-source $LAN_IP

the goal is that we see on the ssh server the ip from the client and not from the firewall. the ssh server dont have the firewall as gateway, that is the problem i have.

telsch · 03-20-2012, 06:37 AM

today tried the second example from your link, goossen.

fwmark and the ip rule, this example work if go from intra to extra. but i come fom extra and want to go to intra ssh server. i think ther must be some forwarding rules and on the ssh server to ?