LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-13-2005, 10:19 AM   #1
jatro
LQ Newbie
 
Registered: Dec 2003
Posts: 5

Rep: Reputation: 0
SSH tunnel or Iptables forwarding


Hi,

I try to make a ssh connection from ip63.12.12.12 to an internal PC but I have to pass through a firewall.

Internet...............................Firewal...............................Internal........
*-------------------*...........*-------------------*.......*----------------*
|...........................|...........| EXTIP: 82.14.14.14 |.......|.......................|
|....ip:63.12.12.12....|...-->...| INTIP: 192.168.1.2 .| .->. | ip: 192.168.1.5 |
|...........................|...........|............................|.......|...................... .|
|...........................|...........|.sshd port: 2222......|.......| sshd port: 22 ...|
|...........................|...........|............................|.......|...................... .|
*-------------------*..........*--------------------*.......*---------------*

I tried first with a ssh tunnel. But it works only from the internal network
( ssh -p 2222 -N -g -f -L 6789:192.168.1.5:22 root@82.14.14.14.) I tried to add following rule to the firewall script but I always get that the connection is timed out : iptables -A INPUT -i eth1 -p udp --dport 6789 -j ACCEPT ( eth1 it the firewall nic on the internet side)

I presume that the timed out connection is caused by a firewall rule. What do I have to add or is better to work with with iptables port forwarding? ( iptables -t nat -A PREROUTING -p tcp --dport 6789 -j DNAT --to 192.168.1.5:22 ).

There is also a ssh deamon running on the firewall.

Regz,

JP6

Last edited by jatro; 06-13-2005 at 10:47 AM.
 
Old 06-13-2005, 12:44 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
my reak understanding on ssh tunnels isn't too hot, but you need a port available on the firewall to go through, which you've not mentioned. you'd then need to run your internal ssh port on that open port number. maybe port 80, 25 or 443 are accessible through the firewall? if so, set up sshd_config on the internal machine to listen on that port too. in reality though, this isn't actually using a tunnel at all, just changing the port number. seems to be what you want though.
 
Old 06-13-2005, 04:39 PM   #3
jatro
LQ Newbie
 
Registered: Dec 2003
Posts: 5

Original Poster
Rep: Reputation: 0
Chris,

Sorry but I didn't mention the port in my text. But the tunnel is created with'ssh -p 2222 -N -g -f -L 6789:192.168.1.5:22 root@82.14.14.14'. So on the firewall , I have an input port 6789 and this should be forwarded to the internal PC 192.168.1.5:22 ( sshd of this PC). I don't encounter problems if I try to connect from e.g. 192.168.1.6 (other internal PC) via 'ssh -p 6789 root@82.14.14.14', I am redirected immediatly to 192.168.1.5.

There is a SSH running on the firewall (port 2222)

TNX,

JP6
 
Old 06-13-2005, 08:10 PM   #4
Dr. Psy
Member
 
Registered: May 2005
Distribution: Slackware 10.1
Posts: 49

Rep: Reputation: 15
# if you have a webserver internally behind firewall box, forward external http requests to internal web server
# by uncommenting the rules below: (note: this can be done for other servers/services as well.)
# Internal requests made by network machines can be made through a proxy if you do not have a DNS server.
#iptables -A PREROUTING -t nat -p tcp --destination-port 80 -j DNAT -i eth0 -d 24.17.27.103 --to-destination 192.168.0.4:80
#iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.4 -j ACCEPT

# Allow internal webserver to respond to external http requests
# by uncommenting the rule below:
#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.4 -j SNAT --to-source 24.17.27.103
 
Old 06-14-2005, 02:39 AM   #5
jatro
LQ Newbie
 
Registered: Dec 2003
Posts: 5

Original Poster
Rep: Reputation: 0
Dr SPY,

I tried your proposal but without pos. changes. I had to replace eth0 with eth1 and vice versa because eth1 is internet sid nic. This is what I added. I killed the process 'ssh -p 2222 -N -g -f -L 6789:192.168.1.5:22 root@82.14.14.14' first

This is what I tried.

iptables -A PREROUTING -t nat -p tcp --destination-port 6789 -j DNAT -i eth1 -d 82.14.14.14 --to-destination 192.168.1.5:22
iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.1.5 -j ACCEPT

# Allow internal webserver to respond to external http requests
# by uncommenting the rule below:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.5 -j SNAT --to-source 82.14.14.14

Regz,

JP6
 
Old 06-15-2005, 03:07 AM   #6
jatro
LQ Newbie
 
Registered: Dec 2003
Posts: 5

Original Poster
Rep: Reputation: 0
DR SPY,

We did your proposal over. The remote machine wasn't availble. You were RIGHT. Tnx 4 the info.

Regz,

JP6
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Tunnel - need some help on this MeridianRebel Linux - Networking 2 08-11-2005 02:10 PM
ssh tunnel / port forwarding Q FrayAdjacent Linux - Networking 2 07-05-2005 03:37 PM
iptables: forwarding SSH connection: eth0 to eth1 hamish Linux - Networking 12 01-14-2005 03:07 PM
ssh tunnel crep Linux - Networking 2 08-25-2004 08:24 PM
game proxy ? udp forwarding ? tunnel ? n33dH3lp Linux - Networking 1 11-10-2003 12:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration