|
SSH tunnel or Iptables forwarding
Hi,
I try to make a ssh connection from ip63.12.12.12 to an internal PC but I have to pass through a firewall. Internet...............................Firewal...............................Internal........ *-------------------*...........*-------------------*.......*----------------* |...........................|...........| EXTIP: 82.14.14.14 |.......|.......................| |....ip:63.12.12.12....|...-->...| INTIP: 192.168.1.2 .| .->. | ip: 192.168.1.5 | |...........................|...........|............................|.......|...................... .| |...........................|...........|.sshd port: 2222......|.......| sshd port: 22 ...| |...........................|...........|............................|.......|...................... .| *-------------------*..........*--------------------*.......*---------------* I tried first with a ssh tunnel. But it works only from the internal network ( ssh -p 2222 -N -g -f -L 6789:192.168.1.5:22 root@82.14.14.14.) I tried to add following rule to the firewall script but I always get that the connection is timed out : iptables -A INPUT -i eth1 -p udp --dport 6789 -j ACCEPT ( eth1 it the firewall nic on the internet side) I presume that the timed out connection is caused by a firewall rule. What do I have to add or is better to work with with iptables port forwarding? ( iptables -t nat -A PREROUTING -p tcp --dport 6789 -j DNAT --to 192.168.1.5:22 ). There is also a ssh deamon running on the firewall. Regz, JP6 |
my reak understanding on ssh tunnels isn't too hot, but you need a port available on the firewall to go through, which you've not mentioned. you'd then need to run your internal ssh port on that open port number. maybe port 80, 25 or 443 are accessible through the firewall? if so, set up sshd_config on the internal machine to listen on that port too. in reality though, this isn't actually using a tunnel at all, just changing the port number. seems to be what you want though.
|
Chris,
Sorry but I didn't mention the port in my text. But the tunnel is created with'ssh -p 2222 -N -g -f -L 6789:192.168.1.5:22 root@82.14.14.14'. So on the firewall , I have an input port 6789 and this should be forwarded to the internal PC 192.168.1.5:22 ( sshd of this PC). I don't encounter problems if I try to connect from e.g. 192.168.1.6 (other internal PC) via 'ssh -p 6789 root@82.14.14.14', I am redirected immediatly to 192.168.1.5. There is a SSH running on the firewall (port 2222) TNX, JP6 |
# if you have a webserver internally behind firewall box, forward external http requests to internal web server
# by uncommenting the rules below: (note: this can be done for other servers/services as well.) # Internal requests made by network machines can be made through a proxy if you do not have a DNS server. #iptables -A PREROUTING -t nat -p tcp --destination-port 80 -j DNAT -i eth0 -d 24.17.27.103 --to-destination 192.168.0.4:80 #iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.4 -j ACCEPT # Allow internal webserver to respond to external http requests # by uncommenting the rule below: #iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.4 -j SNAT --to-source 24.17.27.103 |
Dr SPY,
I tried your proposal but without pos. changes. I had to replace eth0 with eth1 and vice versa because eth1 is internet sid nic. This is what I added. I killed the process 'ssh -p 2222 -N -g -f -L 6789:192.168.1.5:22 root@82.14.14.14' first This is what I tried. iptables -A PREROUTING -t nat -p tcp --destination-port 6789 -j DNAT -i eth1 -d 82.14.14.14 --to-destination 192.168.1.5:22 iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.1.5 -j ACCEPT # Allow internal webserver to respond to external http requests # by uncommenting the rule below: iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.5 -j SNAT --to-source 82.14.14.14 Regz, JP6 |
DR SPY,
We did your proposal over. The remote machine wasn't availble. You were RIGHT. Tnx 4 the info. Regz, JP6 |
| All times are GMT -5. The time now is 12:40 AM. |