Thanks. That will work for now. I'd like to be able to get port forwarding to work eventually. I might want to set up my desktop as a web server.
On Monday 27 May 2002 09:51 pm, James wrote: > Since I lost the preceding e-mails I'm guessing since your are wanting > to forward ssh through your firewall to your desktop. Here's an article > that might help... might not. Title SSH Port Forwarding. Written for a > Usnix Conf in 2000. > http://www.usenix.org/publications/library/proceedings/als2000/full_papers/ >orr/orr_html/ > > James > > > > On Mon, 27 May 2002 17:46:35 -0700 > > ajax <[EMAIL PROTECTED]> wrote: > > Thanks for the reply. I'm still not getting anywhere. I'm trying to > > forward port 23 on my gateway to port 22 on my desktop. I'm trying to > > do this internally first. Once I get this working, I'll switch so it > > forwards external connections. > > When I run this I get multiple s flags not allowed. > > Now instead of connection refused, connection attempts just hang. > > This is my current script: > > > > > > IPTABLES="/sbin/iptables" > > > > ${IPTABLES} -A INPUT -i eth0 -j ACCEPT > > > > > > ${IPTABLES} -A FORWARD -p tcp -i eth0 --dport 23 -d 192.168.1.1 -j > > ACCEPT${IPTABLES} -A FORWARD -p udp -i eth0 --dport 23 -d 192.168.1.1 > > -j ACCEPT > > > > > > ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1 > > -p tcp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22 > > ${IPTABLES} -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 192.168.1.1 > > -p udp --destination-port 23 -j DNAT --to-destination 192.168.1.4:22 > > > > > > ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p tcp -sport 22 -d > > 192.168.1.2 -j SNAT --to-source :23 > > ${IPTABLES} -t nat -A POSTROUTING -s 192.168.1.4 -p udp -sport 22 -d > > 192.168.1.2 -j SNAT --to-source :23 > > > > On Thursday 23 May 2002 07:30 am, Pierre Fortin wrote: > > > On Thu, 23 May 2002 00:03:39 -0700 ajax <[EMAIL PROTECTED]> wrote: > > > > I'm trying to forward port 23 to one of my internal computers. My > > > > gateway has a cable connection on eth1 (dynamic ip) and internal > > > > network on eth0 (static ip). I keep getting connection refused. > > > > I can ssh directly to port 23 (I moved the port) on 192.168.1.4 > > > > internally but my gateway doesn't want to forward it I'm using > > > > the following script which I modified from the bastille website > > > > (its located > > > > at/etc/Bastille/firewall.d/pre-audit.d/portforward.sh): > > > > > > > > IP_FORWARDS="eth1-0.0.0.0-23-tcp-192.168.1.4-23 > > > > eth1-0.0.0.0-23-udp-192.168.1.4-23 > > > > eth0-0.0.0.0-23-tcp-192.168.1.4-23 > > > > eth0-0.0.0.0-23-udp-192.168.1.4-23"# > > > > # > > > > > > > > for fw_rule in ${IP_FORWARDS} ; do > > > > # ugly awk hack > > > > fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'` > > > > fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'` > > > > fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'` > > > > fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'` > > > > fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'` > > > > fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'` > > > > if [ -n "${fw_iface}" ]; then > > > > # we have an interface specified > > > > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d > > > > $fw_inaddr \ -p tcp --destination-port $fw_inport -j DNAT > > > > --to$fw_outaddr:$fw_outport > > > > > > > > ${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d > > > > $fw_inaddr \ -p udp --destination-port $fw_inport -j > > > > DNAT --to$fw_outaddr:$fw_outport > > > > > > > > > > > > else > > > > # apply forward to all interfaces > > > > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \ > > > > -p tcp --destination-port $fw_inport -j DNAT --to > > > > $fw_outaddr:$fw_outport > > > > > > > > > > > > ${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \ > > > > -p udp --destination-port $fw_inport -j DNAT --to > > > > $fw_outaddr:$fw_outport > > > > > > > > fi > > > > done > > > > > > A quick glance shows one major difference from what I use in my > > > honeyport** script... Here's a clue: > > > > > > iptables -t nat -${ACTION} PREROUTING -s ${ATTACKER} -p tcp --dport > > > \ ${ATTACKER_PORT} -j DNAT --to-destination ${MY_IP}:${HONEYPORT} > > > iptables -t nat -${ACTION} POSTROUTING -s ${MY_IP} -d ${ATTACKER} -p > > > tcp \ --sport ${HONEYPORT} -j SNAT --to-source :${ATTACKER_PORT} > > > > > > Note the use of POSTROUTING and SNAT for the other direction... > > > > > > ** honeyport redirects an attacker to a sticky tarpit server port > > > > > > HTH, > > > Pierre
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
