SSH Port Forwarding with IPTables & DNAT

MercurioBlue · 08-24-2006, 12:51 PM

Hi all,

I want to forward external SSH requests from a gateway server, to a content server that's inside a local network using DNAT. I'm using IPTABLES with PREROUTING but it doesn't seem to work the way I would expect it to (it blocks all SSH connections from the outside).

#!/bin/bash

/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

# clear configuration

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F

# allow loopback connection
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# set up wi-line
/sbin/iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $ext_ip

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 26 -j DNAT --to 192.168.0.2:25

#forward port 22 to internal server
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22

Also, on another machine (web server running Apache), I want to block all ports but 80. I tried typing this:
/sbin/iptables -P INPUT DROP

/sbin/iptables -A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp -m udp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p udp -m udp --sport 80 -j ACCEPT

But when I start IPTables the webpage will not show up, until I shut off IPTables.

Any help would be appreciated. Thanks!

Mike

peter_robb · 08-24-2006, 07:12 PM

Most servers resolve the incoming connections to get hostnames.
You don't have any rules in the FORWARD chain to allow dns.

With FORWARD rules, don't add extra check unless they are necessary, eg,
don't specify both -i & -o interfaces. Also, -d ip numbers are unecessary as the interface has only one ip address..

Also, with an ACCEPT policy for INPUT & OUTPUT, you don't need to write ACCEPT rules (unless you have a DROP following).

When you DNAT, the port number is retained unless you specify a different one.. so --to-dest x.x.x.x:22 is unecessary.
I suggest you have a good read of the BIG Iptables tutorial

win32sux · 08-24-2006, 11:17 PM

welcome to LQ!!!

Quote:

Originally Posted by MercurioBlue

Hi all,

I want to forward external SSH requests from a gateway server, to a content server that's inside a local network using DNAT. I'm using IPTABLES with PREROUTING but it doesn't seem to work the way I would expect it to (it blocks all SSH connections from the outside).

#!/bin/bash

/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

# clear configuration

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F

# allow loopback connection
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# set up wi-line
/sbin/iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $ext_ip

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 26 -j DNAT --to 192.168.0.2:25

#forward port 22 to internal server
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -d 192.168.0.132 --dport 22 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $ext_ip --dport 22 -j DNAT --to 192.168.0.132:22

Also, on another machine (web server running Apache), I want to block all ports but 80. I tried typing this:
/sbin/iptables -P INPUT DROP

/sbin/iptables -A INPUT -s 0/0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -i eth1 -p udp -m udp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p udp -m udp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p udp -m udp --sport 80 -j ACCEPT

But when I start IPTables the webpage will not show up, until I shut off IPTables.

Any help would be appreciated. Thanks!

Mike

i cleaned-up your port-forwarding script... try it...

make sure you replace $WAN_IP's x.x.x.x with your actual IP:

Code:

#!/bin/sh

IPT="/sbin/iptables"

WAN_IFACE="eth0"
WAN_IP="x.x.x.x"

LAN_IFACE="eth2"
LAN_NET="192.168.0.0/24"

# Disable forwarding while we set-up:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Set policies for the filter table:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Set policies for the mangle table:
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

# Set policies for the nat table:
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Flush all rules:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Delete all user-built chains:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 22 \
-j DNAT --to-destination 192.168.0.132

$IPT -t nat -A PREROUTING -p UDP -i $WAN_IFACE --dport 22 \
-j DNAT --to-destination 192.168.0.132

$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 26 \
-j DNAT --to-destination 192.168.0.2:25

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.0.132 \
--dport 22 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.0.132 \
--dport 22 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.0.2 \
--dport 25 -m state --state NEW -j ACCEPT

$IPT -t nat -A POSTROUTING -o $WAN_IFACE \
-j SNAT --to-source $WAN_IP

# Enable forwarding now that we are set-up:
echo "1" > /proc/sys/net/ipv4/ip_forward

as for the web server script, try like this:

Code:

#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"

# Disable forwarding because this is not a router:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Set policies for the filter table:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Set policies for the mangle table:
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

# Set policies for the nat table:
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Flush all rules:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Delete all user-built chains:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $WAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 80 \
-m state --state NEW -j ACCEPT

# Uncomment this if you wanna be able to SSH from the LAN:
#$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 \
#-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -i lo -j ACCEPT

i hope this helps... just my

... good luck...

BTW, you probably don't need those UDP rules...