wrong iptables rules on firewall

beliya · 11-03-2013, 10:21 AM

Hello.

I have firewall with three physical network interfaces running on Debian Linux. The addressing looks as follows:

eth0 - wan - 192.168.168.2
eth1 - lan1 - 10.1.1.1
eth2 - lan2 - 10.2.1.1

I have few servers in the lan1 network from which I want some ports forwarded to the wan network. For example: I want port 22 (ssh) on address 10.1.1.11 forwarded to address 192.168.168.2 and port 6990 so that users in the 192.168.168.0/24 network can connect to the ssh server listening on 10.1.1.11:22. I have the following rules in my iptables script:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6990 -j DNAT --to-destination 10.1.1.11:22

However, when I try to connect with ssh client from the firewall I receive the following error:

Code:

root@fw:~$ ssh -p 6990 root@192.168.168.2
ssh: connect to host 192.168.168.2 port 6990: Connection refused
root@fw:~$

I think that I'm doing something wrong here and my rules are not correct.

Can please anybody help me with that?

Ser Olmy · 11-03-2013, 12:51 PM

Your NAT rule looks OK, but unless the policy for the FORWARD chain in the filter table is "ACCEPT" (which is not recommended), you'll have to add a corresponding rule in that chain to allow traffic through:

Code:

iptables -A FORWARD -i eth0 -d 10.1.1.11 -p tcp --dport 22 -j ACCEPT

Tha packets hit the FORWARD chain (and the routing table) post-NAT, so the rule must refer to the altered destination address.

beliya · 11-03-2013, 02:37 PM

Ser Olmy,

Thank you for replying. Now the part regarding this action in the firewall script looks like this:

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6990 -j DNAT --to-destination 10.1.1.11:22
iptables -A FORWARD -i eth0 -d 10.1.1.11 -p tcp --dport 22 -j ACCEPT

Unfortunately the same thing happens again and I can't connect.

Ser Olmy · 11-03-2013, 02:43 PM

Is 10.1.1.1 the default gateway on the 10.1.1.11 host?

Can you open an SSH connection from 10.1.1.1 to 10.1.1.11?

Have you tried running tcpdump on 10.1.1.1 or 10.1.1.11 to see what's happening?

beliya · 11-03-2013, 02:53 PM

Yes, 10.1.1.1 is the default gateway for 10.1.1.11.
Yes, I can establish ssh connection from 10.1.1.1 to 10.1.1.11.

I haven't tried using tcpdump to see why the connection is failing. That's actually a very good idea. I will try doing that and then I'll report. This will probably happen tomorrow because it's getting very late and my mind is not sharp enough right now.