Hello,
After troubleshooting for a few hours I give up now and ask for your help.
I want to access LAN PC (let's call it SSH Server) using SSH from the internet through the firewall. I can't do that. It says "Connection timed out". However I can access SSH server locally with no problems.
Firewall is Slackware. SSH server is also Slackware. For firewall I use iptables.
The strange thing is that there is another server in the LAN (let's call it Backup server) which is also running Slackware and I can access it with SSH from the internet without problems even though the configuration of both Backup server and SSH server is identical and Firewall's PREROUTING rules seem to be identical for both LAN servers.
I will try to give you as much information as I can strightaway. I hope this much of information will not be PITA for you. Can you please help me with this?
First, I don't think this is routing problem because when I try to log all incomming and outgoing packets in SSH server using:
Code:
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
... I see three SSH INPUT requests from my remote machine (that means forwarding should be OK), but no OUTPUT packets at all. It seems like SSH server refuses to answer to SSH requests. Note that there are no other iptables rules in SSH server except those two rules with LOG target.
Firewall iptable rules:
Code:
#!/bin/bash
# Flush all rules, and all custom tables
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t mangle --flush
iptables -t mangle --delete-chain
# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
# It's probably save to let all the output go freely
iptables -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Don't restrict activity from local network
iptables -A INPUT -s 10.1.1.0/24 -j ACCEPT
# Allow SSH
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Backup server - WORKS OK
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22299 -m state --state NEW -s <REMOTE-IP> -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.16:22
# SSH Server - THIS DOESN'T WORK!
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22298 -m state --state NEW -s <REMOTE-IP> -d <PUBLIC-IP> -j DNAT --to-destination 10.1.1.17:22
# NAT to public IP
# NAT connections from Altas main LAN
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j SNAT --to-source <PUBLIC-IP>
# NAT connections from Altas wireless LAN
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source <PUBLIC-IP>
Firewall ifconfig:
Code:
eth0 Link encap:Ethernet HWaddr 00:15:5D:01:0C:00
inet addr:<PUBLIC-IP> Bcast:***.***.***.*** Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe01:c00/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57311080 errors:0 dropped:32024 overruns:0 frame:0
TX packets:45788244 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1074957452 (1025.1 Mb) TX bytes:4094642512 (3904.9 Mb)
Interrupt:9 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:15:5D:01:0C:03
inet addr:10.1.1.254 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe01:c03/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46499683 errors:0 dropped:1285 overruns:0 frame:1
TX packets:50192272 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67554592 (64.4 Mb) TX bytes:774704708 (738.8 Mb)
Interrupt:9 Base address:0xe000
eth1:2 Link encap:Ethernet HWaddr 00:15:5D:01:0C:03
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:68 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7368 (7.1 Kb) TX bytes:7368 (7.1 Kb)
Firewall route -n:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
***.***.***.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 ***.***.***.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 ***.***.***.1 0.0.0.0 UG 1 0 0 eth0
SSH server ifconfig:
Code:
eth0 Link encap:Ethernet HWaddr 00:15:5D:01:0C:0F
inet addr:10.1.1.17 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe01:c0f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:212908 errors:0 dropped:11 overruns:0 frame:0
TX packets:263257 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15572880 (14.8 Mb) TX bytes:362528007 (345.7 Mb)
Interrupt:9 Base address:0x6000
eth0:1 Link encap:Ethernet HWaddr 00:15:5D:01:0C:0F
inet addr:10.1.1.251 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:200 (200.0 b) TX bytes:200 (200.0 b)
SSH Server route -n:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo