i found several tutorials on how to do it, but got none of them to work :/
- reachable from the internet
- eth0: xxx.xxx.xxx.xxx (public ip)
- eth1: 192.168.1.1
- reachable from FIREWALL
- eth0: 192.168.1.5
Because I still want to be able to connect to the firewall on port 22, I would like to forward incoming connections on port 2222 to 192.168.1.5:22.
ping and ssh from FIREWALL to SERVER works.
ping and ssh from SERVER to FIREWALL works as well (although login is only allowed with public key and the SERVER is not allowed…)
ping and ssh from anywhere to FIREWALL works.
IP forwarding is enabled:
# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
Posting my iptables-rules does not make much sense because none of the rules worked (used PREROUTING, POSTROUTING, FORWARD…) and there are no other rules.
Yes, my firewall does not block anything. But this is not about security (yet).
I tried everything I found on the first to pages of:
Here’s the output of
tcpdump -n -i any after using Khaled’s iptables command:
15:42:33.852718 IP home-ip.56008 > firewall-public-ip.2222: Flags [S], seq 1141341765, win 14600, options [mss 1460,sackOK,TS val 871214 ecr 0,nop,wscale 7], length 0 15:42:33.852752 IP home-ip.56008 > 192.168.1.5.22: Flags [S], seq 1141341765, win 14600, options [mss 1460,sackOK,TS val 871214 ecr 0,nop,wscale 7], length 0
I would have guessed that in the second line there would be something like
… IP 192.168.1.1.45678 > 192.168.1.5.22 …
These two lines repeat a few times as my ssh-client tries multiple times to connect. But there is not any answer.
The routes of the server (192.168.1.5) are here. I just added a route
public-firewall-ip 255.255.255.255 192.168.1.1 192.168.1.5 1
but this has no effect.
On the server runs Win XP with cygwin’s sshd installed. I did not mention this before because ssh from the firewall to the server works just fine. But when it comes to routing I feel Windows is somewhat limited.
Now I’m installing Wireshark on the server and will paste the result in a few miniutes.
Trace on server
The trace on the server shows an arriving SYN on port 22 and a leaving SYN,ACK to my home-ip. I think there is the error. The ACK should be sent to the firewall than be masqueraded because in the leaving package the source IP/Port now is 192.168.1.5:22. No way this reaches my laptop at home behind a NAT… or is there a way?
If you are allowing the traffic to pass through your firewall and have IP forwarding enabled, you just need one NAT rule to forward SSH traffic on port 2222. A one like this should do the work:
$ iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.5:22
Network sniffer is your friend when debugging such problems. You can run tcpdump on the firewall machine and see if you can catch the request coming and the same request should leave the firewall machine.
Leave a comment
- SCP transfer only modified files
- How can I automate clearing and resetting a Linux user’s home directory to a default?
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?