SSH through a firewall
 

I am in the process of revamping the firewall. I just took over the IT Department and am trying to weed out the "crap".

My Q is this: I want to allow SSH2 through the "for now" firewall and to a backend server. I went into the existing script and entered the following iptables command:


iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -d <external ip> --dport 22 -j DNAT --to-destination 123.234.35.45:22

iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 123.234.35.45 --destination-port 22 -j ACCEPT


This should work shouldn't it? Incoming connection from external IP forward to internal IP server SSH.

A buddy of mine tried to login remotely and got Connection Refused. I tried from the internal network to the external IP (not the same one I am on) and I got a connection, asked me for the username and password ... I entered those and it came back as bad login, would you like to try again. I know the username and passwords are correct. Do I need to open any other port than 22?

Do I have the above correct? Maybe that is my problem. Any help is appreciated. I am starting to understand iptables, still a ways to go though.

Oh, sorry 1 more thing. This rule iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT if it came before the above, would it disregard the above and take this one because is is first? This looks like SSH to the firewall. Am I right?

Thanks again.

Kevin :newbie:

you should grab the book "Linux Firewalls" I belive it extensivly goes through the use of iptables in linux

Ok, thanks for the tip.

I am guessing "Get a book" means "You have it wrong and I am not going to tell you, figure it out yourself" or was that forum lingo meaning "I don't know".

I don't mean to be snarky but I don't have time to run out to get the book. I figured I could get help on this and THEN get a book. I guess I misunderstood what forums were for. I thought they are here to help people in need, not to promote books.

If anyone else has any other help I would greatly appreciate it. Pointing me to a book was not the answer I was hoping for.

Thanks all.

Kevin

I would remove this:
If you want to leave it in add a "-i eth1" or something like that. Otherwise you have a conflict of how it would work.

In my config I have something like this:


The "-m state --state NEW,ESTABLISHED,RELATED" part would be totally optional.

I think when doing an iptables script the order that you do your commands is not the deciding factor of how it all works. I could be wrong.

thanks benjithegreat98,

I did get rid of the iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT and I changed the IP to our primary one. For some reason, the ppl that built the firewall int he first place had things weird. Oh well.

I thank you again because eveerything works 100% now.

Much appreciated!!

Kevin

:D :D :D :D

No, get a book means get a book becuase it has a reputation as a good book and will give you some in depth knowledge you could use if you are working with firewalls!!!!!!!!

Technology books are one of the best ways to waste money out there ... If you're reading it in a book, it's already outdated.

Thanks Atrosity but I think that I could have figured out myself to get a book. If I figured that it would be quicker and more efficient to get it then I would. But like I said in my previous post, forums are for helpping people in need, not to promote books. If you want to fine, but make sure you answer the question in need as well.

Just telling people to "Buy a book" doesn't help anyone. Help is why we go to forums. You could learn a lot from benjithegreat98's post.

Kevin

How are technology books a waste of money, that is the dumbest thing I have ever heard!! You have to have a base of something outdated before you can build apon that knowledge in order to create new technologies!!! You get that base from books and working with the current technologies before you can create a new one!!

You're missing the point (as I suspected you might).

By the time a book makes it to print and to the store shelves and in your little hands it's already outdated (read: largely incomplete to useless) information.

If you want to spend $40-$80 USD for something of very little practical application (other than slaughtering trees to print them on), go right ahead. I'll get my information from the electronic manuals and howtos and google and forums and spend the money I've saved on hardware (or beer or whatever).

As a happy medium, there's always Safari.

I'm inclined to agree with Atrocity on the usefulness of books. You can learn some from the on-line manuals and such but for a thorough explanation of how something works you should get the book. A book won't really be obsolete at the rate you are saying. I know you are exagerrating, but I still have some old books out of college that are useful. Some are not. Usually books will give you better ideas about the 'best practice' which is useful because if the program changes slightly you can still have an understanding of what you need to accomplish by reading what has changed instead of looking for someone to hold your hand because you do not have as good a comprehension of the subject as you could.

To each his own I suppose ... For me, they're a waste. There are a few rare exceptions of course (The K&R C books for example), but those exceptions are few and far between. I can't recall the last thing I needed my hand held with though, so I guess maybe I'm a bad example.

free(thread);

Just to clarify, I wasn't directing the hand holding bit at you or any one in particular. I've taken short cuts to find quick answers to solve my problem and then the next change that came along I was lost again. I needed to find a thread to hold my hand to get it fixed right. But after doing that a bunch of times I tried to learn the subject thoroughly. Fortunately, places like this exist. :)

books are usefull for all except maybe the illiterate, theorys and concepts hold strong for years