SSH and Firewalls?

[George Toft]

Craig White wrote:
> 
> On Tue, 2002-06-11 at 07:07, Steve Holmes wrote:
> > Question about running ssh over a masqueraded network:
> >
> > I have a linux box that serves as the "point" machine for my network
> > on which I forward ports with ipchains (2.2 kernel) to to inside
> > amachines which each run sshd.  My outside machine currently is not
> > running ssh yet.  If the default policy on my input chain is ACCEPT, I
> > can successfully forward non standard ports through to specific
> > machines an establish ssh sessions on them with no problems.  If I
> > default the input chain to DENY, as is done in endoshield script, The
> > connections time out and I cannot connect.  In both cases, I forward
> > the same ports.
> >
> > Bottom line, If I use endoshield and add on the ipfwadm commands to
> > forward the ports mentioned above, connections time out; If I do not
> > use endoshield but use a simpler script that basically leaves the
> > input chain wide open, I can establish the ssh sessions - no problem.
> ----
> been a while since I used ipchains and not seeing your script, what I
> think is happening is that the input chains are considered before your
> forward chains and thus if you policy is to DENY, then the packets are
> denied before they ever hit the 'forward' chains.

This is correct.  ipchains put the input chain before the forward chain, 
and iptables puts the forward chain before the input chain.

George