At least I don't feel like I am loosing it...... Everything everyone has responded with so far has made sense, and is what I have already done. To answer your question: I have made sure tcpwrappers was in order (hosts.allow); even went so far as to temperarily put in a line: sshd: ALL The linux box is headless, so I am ssh'd in from an internal box; I even have two modems connected directly to the box that work just hunky dory when I dial in. Looks like I am going to sleep on this one and check everything over line by line in the AM. I do have one question: How can I tell if portfw is working, short of the obvious? At least with ipchains, I can add -l wherver I need to to hunt down the offending chain. Thanks for the reply Mike mgcon@getnet.com http://www.getnet.com/~mgcon Phoenix, AZ USA On Tue, 31 Oct 2000 larry-schmid@home.com wrote: > > Here is a stripped-down set of rules that I have just tested. These > came from a larger script I use on my firewall. I forward ssh to an > internal system for logins. > > #First shut down all traffic > /sbin/ipchains -P forward DENY > > #Let all inside traffic get out > /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 > > #Forward ssh to login box > /usr/sbin/ipmasqadm portfw -a -P tcp -L x.x.x.x 22 -R 192.168.1.100 22 > > # x.x.x.x = external firewall ip > > Are you perhaps using tcp wrappers or have you configured AllowHosts or > DenyHosts in sshd_config on the box you're forwarding to? Port > forwarding doesn't mask the ip from the external connection. > > Larry > > > Mike Starke wrote: > > > > Tried it......I am not having fun. > > > > It appears (don't quote me on this) that it is definitly > > the port forwarding. I can ssh into my linux box, but beyond that > > is not working. > > > > I even tried: > > ipchains -P input ACCEPT > > ipchains -P forward ACCEPT > > ipchains -A forward -s 192.168.10.0/24 -j MASQ > > ipmasqadm portfw -a -P tcp -L 192.168.10.2 22 -R 192.168.2.200 22 > > > > Just to see if I can redirect ssh to another linux box inside: No Luck. > > It just hangs. > > > > Anyone have any idea what I can do? > > > > Mike > > mgcon@getnet.com > > http://www.getnet.com/~mgcon > > Phoenix, AZ > > USA > > > > On Tue, 31 Oct 2000, Patrick E. Stoddard wrote: > > > > > Hi. > > > > > > Here is a possible alternative for making ipmasqadm pass > > > connections to that Citrix box behind your Linux box: > > > > > > ipmasqadm autofw -A -r tcp 1494 1494 -h 192.168.2.243 > > > > > > and I think you can put the -L on there to log connections > > > as well. I just had to do this for a friend with a W2K > > > Terminal Server behind his firewall at his house, and for > > > that I also had to do another line similar to above but > > > passing connections on TCP port 3389 to the same IP. > > > > > > With that, just make your client try to connect to your > > > Citrix box (192.168.10.2) and that should pass through > > > the Linux box just fine. > > > > > > > > > Good luck! Patrick > > > > > > -- > > > Patrick E. Stoddard E-mail: wd9ewk at amsat dot org > > > Glendale, Arizona, USA ICBM: 33.5 N 112.2 W > > > > > > Also: wd9ewk at yahoo dot com - wd9ewk at arrl dot net > > > > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > -- > Provoke not your SA to anger, for he is a jealous SA, vengeful, > keeper of root, and quick to wrath. > > Larry > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >