[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

iptables question

Posted on 2009-05-19
3
Medium Priority
?
331 Views
Last Modified: 2012-05-07
Hello everybody!
I have a linux firewall (192.168.0.1) and I would like to forward all the incoming ssh connection from LAN directed to FIREWALL IP (1.2.3.4) to a LAN machine (192.168.0.10).

Do you think it is possible? How can I do it?
0
Comment
Question by:phoenix128
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 11

Expert Comment

by:Todd Mummert
ID: 24428674

It's been a while...

change to use the correct interface:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT --to 192.168.0.10:22
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -i eth1 -j ACCEPT
0
 

Author Comment

by:phoenix128
ID: 24429742
It is not soe easy :)
I also need to masquerade the packet to let the internal machine believe it is coming from the firewall's IP.

The problem is that I already tried to do it with DNAT and MAQUERADE or SNAT... the packet is sent to the destination's machine but it does not come back.

Any idea?
0
 
LVL 7

Accepted Solution

by:
diepes earned 1500 total points
ID: 24434389
1. I assume you can ping the ip's from the fw ? (Connectivity ok)
2. What is your interface names ?  eth0-192.168.0.1   eth1-1.2.3.4
3. Subnet mask's ?

from climbgunks:
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 22 -j DNAT  --to-destination192.168.0.10:22

iptables -A POSTROUTING -t nat -o eth0 -p tcp --dport 22 -j SNAT --to-source 192.168.0.1

iptables -A FORWARD -p tcp --dport 22 -d 192.168.0.10

The last rule you can make more specific if you know where the ssh will come from.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question