On 13 Nov 2016 11:20 am, "deloptes" <delop...@gmail.com> wrote: > > Joe wrote: > > > On Sat, 12 Nov 2016 22:15:45 +0100 > > deloptes <delop...@gmail.com> wrote: > > > >> Hi, > >> I need some help and I'll appreciate it. > >> > >> I have a firewall with iptables behind the modem. > >> on this firewall I have > >> eth0 with ip 10..1 to the modem ip: 10..12 > >> eth1 with ip 192..1 to the intranet > >> > >> iptables is doing SNAT from 192..1 to 10..1 > >> > >> I wonder how I can ssh from 192..NN to 10..NN > >> What magic should I apply to make it happen? > >> > >> Thanks in advance > >> > >> > > > > Can we take it that this does not work now? If that is the case, are > > you sure that iptables is preventing it? There are other possible > > reasons for a new ssh link not to work. > > > > Yes, it is not working and yes it might be a different issue. So here is > some additional information, if you wish. > > >From one computer ip 10..6 I can ssh to 10..7 and vv. > I also see that iptables forwards to the output, but in the output nothing > happens. So it is either in the output chain, or the back route blocks. > > > A typical simple iptables script will allow what you want to do to > > happen already, so there must either be some iptables restriction in > > place now, or there is some other reason for ssh not working. Are you > > able to connect to the modem web configuration page from the 192. > > network? > > > > Yes I forgot to mention that I can connect from 192..NN to the modem ip via > ssh lets say 10..200. > > On the modem there is also firewall. I tried disableing it but it did not > help. > > And you can bet there is restriction - basically it is pretty tight and is > opened only what is needed to intranet and basically all to modem net > > > The SNAT should not be an issue, it can handle all protocols > > transparently, and ssh uses the same tcp protocol as http. > > > > If there are iptables restrictions on outgoing protocols, you need to > > find the rule permitting tcp/80 to be forwarded, copy it and replace 80 > > with 22. Once this is working, we can restrict the destination to the > > 10. network, as presumably any existing port 80 rule allows connection > > to anywhere and you may not want that for ssh. > > there is nothing regarding the output - no rules based on ports > > thanks >
Run tcpdump and check whats happening
