[SOLVED] IPTABLES configuration needed for external router managing an internal SFTP server

vjdjsingh · 04-24-2014, 03:45 AM

hello everyone,

I am new on this Forum and what took me here is this mindnumbing problem I have been Dealing with for Quite some days.

I have rightly setup an internal SFTP server with Y.Y.Y.175 on fedora 13 which is connected to this router X.X.X.80 which should allow other to access the Internal SFTP server. but the Problem I'm facing is:

This Router is accesssible from internal network.
But we cant even ping it external to our network. Whereas I tried pinging google from this Router and it was success. Also I pinged the 175 machine via ths router and it was also a success. but If I ping this router from any external IP, the Request times out.

All I want is to access this .175 machine through this .80 router.
here are the Changes i tried inside the iptables:

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

P.S SFTP is on 22 port as default. Please help me accessing this machine from outside.

the Interfaces being used are 'eth0' and 'eth1'.
'eth0' is .175 machine and 'eth1' is .80 .

Here is view of iptables -L:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:tftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh

and here is view of netstat -ln | grep tcp

Code:

tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 :::5900                     :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 ::1:631                     :::*                        LISTEN

nikmit · 04-24-2014, 06:43 AM

It does not look like you have a firewall issue, as the configuration you pasted in is completely open - you don't have a firewall and nothing should be dropped.

Quote:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

This is as far as your INPUT chain will be processed, similar with the FORWARD chain. The OUTPUT chain has a default policy of ACCEPT and no explicit deny as a last rule in the chain, so again all is allowed.

vjdjsingh · 04-24-2014, 07:05 AM

Do you have a notion what could be wrong?
As the Router is not pinging unless I ping it from an internal point.
There must have been something I left in setting it up.

nikmit · 04-24-2014, 07:27 AM

What is the output of

Code:

cat /proc/sys/net/ipv4/ip_forward

- should be 1. If it is not do

Code:

sysctl -w net/ipv4/ip_forward=1

Other than that you will need to provide a sketch of the network at the very least, it is all very foggy right now.

vjdjsingh · 04-24-2014, 07:49 AM

I had set the ip_forward to 1 already.
I'll try and Provide the view here.

vjdjsingh · 04-24-2014, 08:20 AM

Here is What my network looks like........
https://www.dropbox.com/s/9z3zwh6mal...orkDiagram.JPG

nikmit · 04-24-2014, 08:38 AM

Code:

*nat
-A PREROUTING -i eth1 -d x.x.x.80 -p tcp -dport 22 -j DNAT --to-destination y.y.y.175:22
-A PREROUTING -i eth1 -d x.x.x.80 -p icmp -j DNAT --to-destination y.y.y.175
COMMIT

Something like this should configure NAT port forwarding, which is what you need. Add to your iptables rule file and do iptables-restore after
Change ports/protocols as needed, and the IPs to the real ones. The above should forward TCP/22 (SSH) and all ICMP.

vjdjsingh · 04-24-2014, 08:41 AM

Do i need to make the default rule as nat or filter will do fine??

nikmit · 04-24-2014, 08:43 AM

Needs to be nat

vjdjsingh · 04-24-2014, 09:30 AM

I changed the iptables to below configurations and then saved it in a file and then restored it again.
But still if I am doing iptables -L, it is showing the same result as before as if the changes i have made has not been acknowledged by system.

Here is my iptables view:

Code:

[root@ZZZZZZ sysconfig]# cat iptables
*nat
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -d x.x.x.80/32 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination y.y.y.175:22
-A PREROUTING -d x.x.x.80/32 -i eth1 -p icmp -j DNAT --to-destination y.y.y.175
COMMIT

And here is what iptables -L looks like:

Code:

[root@zzzzz sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:tftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh

P.S I put the right IPs there in my system. I provided IP-tweaked view here.

vjdjsingh · 04-25-2014, 05:20 AM

okay it got Resolved,
the problem was with DNS i set it to 8.8.8.8
Everythings fine now!!!!!

unSpawn · 04-25-2014, 07:07 PM

Quote:

Originally Posted by vjdjsingh

I have rightly setup an internal SFTP server with Y.Y.Y.175 on fedora 13

Fedora 13 is too old to be used. Current release is 20. Please install that or another current Linux distribution release.