iptables/SSH port forarding problem

tpe · 10-31-2004, 08:56 AM

Hallo,
I have strange(?) port forwarding problem.
I need to automate backups from my 5 web servers. I can backup the servers from my office (since I do not have a dedicated pc(!) for that job but at my home office I am stucked.

The configuration:
ADSL Router <-->eth1 Linux firewall eth0<-->LAN

Now, the ADSL Router is configured with 192.168.1.1 as the internal IP and the static IP I have from my provider.
Linux firewall has 2 ethernet cards eth1:192.168.1.2 and eth0:192.168.0.1.
I do forward all incoming connections to AAA.AAA.AAA.AAA:22 to 192.168.1.2:22 from the router's NAT table, where AAA is the static IP of the adsl router.
In the linux firewall I have the following lines inside the iptables rules file:

Code:

EXTINT="eth1"                   # Internet connected interface
LOOPBACK_INTERFACE="lo"         # local naming convention
LCINT="eth0"                    # LAN Connector

IPADDR="192.168.0.1"
LCLAN="192.168.0.0/16"

LOOPBACK="127.0.0.0/8"                  # reserved loopback address range
echo -n "  -Reset iptables..."
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "$rc_done"

#FULL NAT.
echo -n "  -NAT..."
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/16 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE

##SSH SERVER Forward!
iptables -t nat -A PREROUTING -i $EXTINT -p tcp --dport 22 -j DNAT --to 192.168.0.1:22
iptables -A FORWARD -i $EXTINT -o $LCINT -d 192.168.0.1 -p tcp --dport 22 -j ACCEPT
##SSH server end
echo "$rc_done"

Theoretically, I should be able to ssh my firewall using the ssh xxx.xxx.xxx.xxx -l username but instead of the password prompt I have a "Connection timed out" message.

If I delete the port forward rule from the adsl router's NAT table I get a "connection refused" reply. Thus the problem is not the router. The sshd is accepting connection from any host, the host.allow file is the default (any:any), so I suppose that the problem is on the iptables configuration. I would be very gratefull If somene could help me...

Thank you in advace,
Peter

PS (I know that I have to improve my English

)

Mara · 10-31-2004, 09:43 AM

Are you trying to ssh the server from local network or from outside? If from local, try to ssh to 192.168.1.2. WIth current rules (your forward only connections from outside) it looks like the only way.

tpe · 10-31-2004, 02:49 PM

I try from the outside. From the local lan I can ssh the firewall (we are talking about a headless pc). I just didn't post the other rules about the local traffic.

A small note:
When I shutdown the firewall (not the IP forwarding though), I can ssh my firewall from the internet.
Then I tried to apply the rules one by one. No luck. It seems that I miss something, but I do not know what.
I even added the
iptables -A INPUT -i $EXTINT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -i $EXTINT -p tcp --dport 22 -j ACCEPT

No luck too

Demonbane · 10-31-2004, 03:24 PM

Why do you need to do DNAT, if 192.168.0.1 is an interface on the same box?
Nevertheless if this is how you want to do it, you need to accept ssh connection on eth0

Code:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

or simply remove the DNAT rule and accept ssh on eth1.

The FORWARD rule for ssh you had in your first post is irrelevent(and it's wrong anyway), the connection is local to the box.

tpe · 11-01-2004, 03:39 AM

I tried that too.
I also tried the

Code:

iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

but no luck too. Thus, I suppose that I have to rewrite the firewall. What I cannot understand is that whe I apply the same rules (the DNAT), at the FTP ports it is working fine(!!!). I know that it's not an daemon problem since I can connect to my server when the firewall is down.

BTW why the second rule

Code:

iptables -A FORWARD -i $EXTINT -o $LCINT -d 192.168.0.1 -p tcp --dport 22 -j ACCEPT

is wrong?

Anyway, thank you for your answer...

Demonbane · 11-01-2004, 04:35 AM

Because 192.168.0.1 is a local interface therefore it never gets to the FORWARD chain.

Is there any reason why you need to do DNAT instead of just listening on the 192.168.1.2 interface?

It'll probably help if you can post the full set of your rules.

tpe · 11-01-2004, 04:59 AM

OK, but I warn you, it is a large file!
BTW the firewall is based on an old version of the ipchains firewall that was availiable at www.linux-firewall-tools.com

Code:

echo "Starting server firewall..."
EXTINT="eth1"                   # Internet connected interface
LOOPBACK_INTERFACE="lo"         # local naming convention
LCINT="eth0"                    # LAN Connector

IPADDR="192.168.0.1"
LCLAN="192.168.0.0/16"

ANYWHERE="any/0"                # match any IP address
DNS_SERVER="any/0"              # everyone must have at least one

NAMESERVER_1="AAA.AAA.AAA"  

SMTP1="AAA.AAA.AAA.AAA"          
SMTP2="AAA.AAA.AAA.AAA"         

NEWS1="AAA.AAA.AAA.AAA"
NEWS2="BBB.BBB.BBB.BBB"    
PROXY="192.168.0.1"             #Proxy Server

echo "  -DNS: $NAMESERVER_1, SMTP: $SMTP1, $SMTP2"
echo "  -NEWS: $NEWS1, $NEWS2 "
echo "$rc_done"

LOOPBACK="127.0.0.0/8"                  # reserved loopback address range
CLASS_A="10.0.0.0/8"                    # class A private networks
CLASS_B="172.16.0.0/12"                 # class B private networks
CLASS_C="192.168.0.0/16"                # class C private networks
BROADCAST_SRC="0.0.0.0"                 # broadcast source address
BROADCAST_DEST="255.255.255.255"        # broadcast destination address
PRIVPORTS="0:1023"                      # well known, privileged port range
UNPRIVPORTS="1024:65534"                # unprivileged port range

NFS_PORT="2049"                         # (TCP/UDP) NFS
SOCKS_PORT="1080"                       # (TCP) Socks

XWINDOW_PORTS="6000:6063"               # (TCP) X windows
SSH_LOCAL_PORTS="1022:65535"            # port range for local clients
SSH_REMOTE_PORTS="513:65535"            # port range for remote clients

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

echo -n "  -Reset iptables..."

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "$rc_done"

modprobe ip_conntrack_proto_gre
modprobe ip_nat_pptp
modprobe ip_nat_proto_gre
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

#FULL NAT.
echo -n "  -NAT..."
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 192.168.0.0/16 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE

echo "$rc_done"
##SSH SERVER Forward!
iptables -A INPUT -i $EXTINT -p tcp --dport 22 -j ACCEPT
##END SSH server

# Enable bad error message  Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
echo -n "  -Various protections..."
# Enable broadcast echo  Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
done

# LOOPBACK
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE  -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE  -j ACCEPT

# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
iptables -A INPUT -i $LCINT -s $LCLAN -j ACCEPT
iptables -A OUTPUT -o $LCINT -d $LCLAN -j ACCEPT
iptables -A FORWARD -s $LCLAN -d $LCLAN -j ACCEPT
echo "$rc_done"

iptables -A INPUT -s $IPADDR -j DROP
iptables -A INPUT -s $IPADDR -j LOG --log-prefix "FW: Fake In pack:"

echo -n "  -UDP NFS on external Interface..."
iptables -A INPUT -i $EXTINT -p udp --dport $NFS_PORT -j DROP
iptables -A INPUT -i $EXTINT -p udp --dport $NFS_PORT -j LOG --log-prefix "FW: In NFS:"
echo "$rc_done"

echo -n "  -UDP LAN INCOMING TRACEROUTE..."
# traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTINT -p udp -s 192.168.0.0/16 --sport $TRACEROUTE_SRC_PORTS -d $IPADDR --dport $TRACEROUTE_DEST_PO
RTS -j ACCEPT
iptables -A INPUT -i $EXTINT -p udp --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j DROP
iptables -A INPUT -i $EXTINT -p tcp ! --syn -d $IPADDR -j ACCEPT
echo "$rc_done"

echo -n "  -DNS client (53)..."
iptables -A OUTPUT -o $EXTINT -p udp --sport $UNPRIVPORTS -d $DNS_SERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTINT -p udp -s $DNS_SERVER --sport 53 --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS -d $DNS_SERVER --dport 53 -j ACCEPT
echo "$rc_done"

echo -n "  -HTTP client (80)..."
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS --dport 80 -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn --sport 80 --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"

echo -n "  -HTTPS client..."
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS --destination-port 443 -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn --sport 443 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"

echo -n "  -SQUID Requests..."
iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $PROXY --sport 3128 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $PROXY --dport 3128 -j ACCEPT
echo "$rc_done"

echo -n "  -SSH client (22)"
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $SSH_LOCAL_PORTS --dport 22 -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn --sport 22 -d $IPADDR --dport $SSH_LOCAL_PORTS -j ACCEPT
echo "$rc_done"

echo -n "  -OUTGOING TRACEROUTE..."
iptables -A OUTPUT -o $EXTINT -p udp --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p udp --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS -j LOG --log-prefix "FW:
 traceroute:"
echo "$rc_done"

echo -n "  -NEWS client (119)"
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS -d $NEWS1 --dport 119 -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $NEWS1 --sport 119 --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp --sport $UNPRIVPORTS -d $NEWS2 --dport 119 -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $NEWS2 --sport 119 --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"

echo -n "  -POP3, SMTP client (25, 110)"
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $SMTP1 --dport 25 -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $SMTP2 --dport 25 -j ACCEPT

iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $SMTP1 --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $SMTP2 --sport 25 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTINT -p tcp -s $IPADDR --sport $UNPRIVPORTS -d $SMTP1 --dport 110 -j ACCEPT

iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $SMTP1 --sport 110 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $SMTP2 --sport 110 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#iptables -A INPUT  -i $EXTINT -p tcp ! --syn -s $SMTP3 --sport 110 -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
echo "$rc_done"

iptables -A FORWARD -i $EXTINT -p tcp -d $CLIENTIP/32 --dport $CLIENTPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p udp -d $CLIENTIP/32 --dport $EXCHANGEPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -d $CLIENTIP/32 --dport $WEBPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -s $CLIENTIP/32 --dport $SERVERPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -s $CLIENTIP/32 --dport $CLIENTPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p udp -s $CLIENTIP/32 --dport $EXCHANGEPORT -j ACCEPT
iptables -A FORWARD -i $EXTINT -p tcp -s $CLIENTIP/32 --dport $WEBPORT -j ACCEPT

iptables -A FORWARD -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "$rc_done"

echo -n "  -echo-reply"
iptables -A INPUT  -i $EXTINT -p icmp --icmp-type echo-reply -d $IPADDR -j ACCEPT
iptables -A INPUT  -i $EXTINT -p icmp --icmp-type destination-unreachable -d $IPADDR -j ACCEPT
echo "$rc_done"

echo -n "  -source-quench"
iptables -A INPUT  -i $EXTINT -p icmp --icmp-type source-quench -d $IPADDR -j ACCEPT
echo "$rc_done"

echo -n "  -time-exceeded"
iptables -A INPUT  -i $EXTINT -p icmp --icmp-type time-exceeded -d $IPADDR -j ACCEPT
echo "$rc_done"

echo -n "  -parameter-problem"
iptables -A INPUT  -i $EXTINT -p icmp --icmp-type parameter-problem -d $IPADDR -j ACCEPT
echo "$rc_done"

echo -n "  -echo-request, echo-reply"
#iptables -A INPUT  -i $EXTINT -p icmp -s 192.168.0.0/16 --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTINT -p icmp --icmp-type echo-request -j REJECT
iptables -A INPUT -i $EXTINT -p icmp --icmp-type echo-request -j LOG --log-prefix "FW: Input echo:"
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-request -j REJECT
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-request -j LOG --log-prefix "FW: Output echo:"

#iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type echo-reply -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-reply -j REJECT
iptables -A OUTPUT -o $EXTINT -p icmp --icmp-type echo-reply -j LOG --log-prefix "FW: echo rpl:"
echo "$rc_done"

echo -n "  -destination-unreachable"
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type destination-unreachable -j ACCEPT
echo "$rc_done"

echo -n "  -source-quench, echo-request"
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type source-quench -j ACCEPT
#iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type echo-request -j ACCEPT
echo "$rc_done"

echo -n "  -parameter-problem, time-exceeded"
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p icmp -s $IPADDR --icmp-type time-exceeded -d 192.168.0.0/16 -j ACCEPT
echo "$rc_done"

echo -n "  -Enable logging for selected denied packets..."
iptables -A INPUT -i $EXTINT -p tcp  -j DROP
iptables -A INPUT -i $EXTINT -p tcp  -j LOG --log-prefix "FW: IN from ppp"
iptables -A INPUT -i $EXTINT -p udp --dport $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTINT -p udp --dport $PRIVPORTS -j LOG --log-prefix "FW: udp priv port"
iptables -A INPUT -i $EXTINT -p udp --dport $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTINT -p udp --dport $UNPRIVPORTS -j LOG --log-prefix "FW: udp in unpriv"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 5 -j DROP
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 5 -j LOG --log-prefix "FW: icmp type 5:"
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 13 -j DROP
iptables -A INPUT -i $EXTINT -p icmp --icmp-type 13 -j LOG --log-prefix "FW: icmp-type 13:"

for i in 14.. 255; do
  iptables -A INPUT -i $EXTINT -p icmp --icmp-type f -j DROP
  iptables -A INPUT -i $EXTINT -p icmp --icmp-type f -j LOG --log-prefix "FW: icmp type $i:"
done

iptables -A OUTPUT -o $EXTINT -j REJECT
iptables -A OUTPUT -o $EXTINT -j LOG --log-prefix "FW: output:"
echo "$rc_done"

echo "Finished..."