Ralf Schenk
2003-Jul-03 12:09 UTC
[Shorewall-users] Problem with NAT of incoming SSH Traffic
Hello ! I want to NAT incoming ssh connections to Ports like 222,223,224 to different ssh-Servers on the local LAN. I''ve got following in the rules file (IP Adresses changed): # # Allow ssh remote administration for Servers # DNAT:info net loc:111.111.40.35:22 tcp 222 DNAT:info net loc:111.111.100.1:22 tcp 223 DNAT:info net loc:111.111.11.101:22 tcp 224 If I connect to the external IP of the Firewall and the special port 223 my logfile shows: Jul 3 20:57:46 firewall kernel: Shorewall:net2loc:DNAT:IN=eth2 OUT=eth0 SRC=XXX.XXX.XXX.XXX DST=111.111.100.1 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=36318 DF PROTO=TCP SPT=1237 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 But my ssh connection times out. Is this special for ssh or where is my mistake ? Thanks -- __________________________________________________ Ralf Schenk
Tom Eastep
2003-Jul-03 12:16 UTC
[Shorewall-users] Problem with NAT of incoming SSH Traffic
On Thu, 2003-07-03 at 12:14, Ralf Schenk wrote:> Hello ! > > I want to NAT incoming ssh connections to Ports like 222,223,224 to > different ssh-Servers on the local LAN. > > I''ve got following in the rules file (IP Adresses changed): > > # > # Allow ssh remote administration for Servers > # > DNAT:info net loc:111.111.40.35:22 tcp 222 > DNAT:info net loc:111.111.100.1:22 tcp 223 > DNAT:info net loc:111.111.11.101:22 tcp 224 > > If I connect to the external IP of the Firewall and the special port 223 > my logfile shows: > > Jul 3 20:57:46 firewall kernel: Shorewall:net2loc:DNAT:IN=eth2 OUT=eth0 > SRC=XXX.XXX.XXX.XXX DST=111.111.100.1 LEN=48 TOS=0x00 PREC=0x00 TTL=118 > ID=36318 DF PROTO=TCP SPT=1237 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 > > But my ssh connection times out. Is this special for ssh or where is my > mistake ?Can the internal system (111.111.100.1) access the internet? Does DNS reverse lookup from the internal system for XXX.XXX.XXX.XXX work? Is the default gateway for 111.111.100.1 set to the IP address of the Shorewall box? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Ralf Schenk
2003-Jul-03 12:56 UTC
[Shorewall-users] Problem with NAT of incoming SSH Traffic
Tom Eastep wrote:> On Thu, 2003-07-03 at 12:14, Ralf Schenk wrote: > >>Hello ! >> >>I want to NAT incoming ssh connections to Ports like 222,223,224 to >>different ssh-Servers on the local LAN. >> >>I''ve got following in the rules file (IP Adresses changed): >> >># >># Allow ssh remote administration for Servers >># >>DNAT:info net loc:111.111.40.35:22 tcp 222 >>DNAT:info net loc:111.111.100.1:22 tcp 223 >>DNAT:info net loc:111.111.11.101:22 tcp 224 >> >>If I connect to the external IP of the Firewall and the special port 223 >>my logfile shows: >> >>Jul 3 20:57:46 firewall kernel: Shorewall:net2loc:DNAT:IN=eth2 OUT=eth0 >>SRC=XXX.XXX.XXX.XXX DST=111.111.100.1 LEN=48 TOS=0x00 PREC=0x00 TTL=118 >>ID=36318 DF PROTO=TCP SPT=1237 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 >> >>But my ssh connection times out. Is this special for ssh or where is my >>mistake ? > > > Can the internal system (111.111.100.1) access the internet? Does DNS > reverse lookup from the internal system for XXX.XXX.XXX.XXX work? Is the > default gateway for 111.111.100.1 set to the IP address of the Shorewall > box? > > -TomReverse DNS is not that important, it only slows down the login but it could be the gateway... I''ll check that tommorow. I''ve no account on that machine. Thanks ! Ralf