port forwarding? routing?
Mike Starke
mgcon@neta.com
Tue, 31 Oct 2000 21:21:31 -0700 (MST)
At least I don't feel like I am loosing it......
Everything everyone has responded with so far has made
sense, and is what I have already done.
To answer your question: I have made sure tcpwrappers
was in order (hosts.allow); even went so far as to temperarily
put in a line:
sshd: ALL
The linux box is headless, so I am ssh'd in from an internal box;
I even have two modems connected directly to the box that
work just hunky dory when I dial in.
Looks like I am going to sleep on this one and check everything over
line by line in the AM.
I do have one question: How can I tell if portfw is working, short
of the obvious? At least with ipchains, I can add -l wherver I need to
to hunt down the offending chain.
Thanks for the reply
Mike
mgcon@getnet.com
http://www.getnet.com/~mgcon
Phoenix, AZ
USA
On Tue, 31 Oct 2000 larry-schmid@home.com wrote:
>
> Here is a stripped-down set of rules that I have just tested. These
> came from a larger script I use on my firewall. I forward ssh to an
> internal system for logins.
>
> #First shut down all traffic
> /sbin/ipchains -P forward DENY
>
> #Let all inside traffic get out
> /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
>
> #Forward ssh to login box
> /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 22 -R 192.168.1.100 22
>
> # x.x.x.x = external firewall ip
>
> Are you perhaps using tcp wrappers or have you configured AllowHosts or
> DenyHosts in sshd_config on the box you're forwarding to? Port
> forwarding doesn't mask the ip from the external connection.
>
> Larry
>
>
> Mike Starke wrote:
> >
> > Tried it......I am not having fun.
> >
> > It appears (don't quote me on this) that it is definitly
> > the port forwarding. I can ssh into my linux box, but beyond that
> > is not working.
> >
> > I even tried:
> > ipchains -P input ACCEPT
> > ipchains -P forward ACCEPT
> > ipchains -A forward -s 192.168.10.0/24 -j MASQ
> > ipmasqadm portfw -a -P tcp -L 192.168.10.2 22 -R 192.168.2.200 22
> >
> > Just to see if I can redirect ssh to another linux box inside: No Luck.
> > It just hangs.
> >
> > Anyone have any idea what I can do?
> >
> > Mike
> > mgcon@getnet.com
> > http://www.getnet.com/~mgcon
> > Phoenix, AZ
> > USA
> >
> > On Tue, 31 Oct 2000, Patrick E. Stoddard wrote:
> >
> > > Hi.
> > >
> > > Here is a possible alternative for making ipmasqadm pass
> > > connections to that Citrix box behind your Linux box:
> > >
> > > ipmasqadm autofw -A -r tcp 1494 1494 -h 192.168.2.243
> > >
> > > and I think you can put the -L on there to log connections
> > > as well. I just had to do this for a friend with a W2K
> > > Terminal Server behind his firewall at his house, and for
> > > that I also had to do another line similar to above but
> > > passing connections on TCP port 3389 to the same IP.
> > >
> > > With that, just make your client try to connect to your
> > > Citrix box (192.168.10.2) and that should pass through
> > > the Linux box just fine.
> > >
> > >
> > > Good luck! Patrick
> > >
> > > --
> > > Patrick E. Stoddard E-mail: wd9ewk at amsat dot org
> > > Glendale, Arizona, USA ICBM: 33.5 N 112.2 W
> > >
> > > Also: wd9ewk at yahoo dot com - wd9ewk at arrl dot net
> > >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> Provoke not your SA to anger, for he is a jealous SA, vengeful,
> keeper of root, and quick to wrath.
>
> Larry
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>