SSH access to NATted internal server

[Nrde]

Hello firewall and SSH gurus...

I have tried to get SSH/SCP access to my web server in my internal network from outside.

My work machine -> B3 -> Web server

The goal would be to be able to transfer files easily between my work machine and my web server.

B3 is acting as server-router-fw and I have tried to forward a port to my web servers ssh port. (tried with external port 40 to web server port 22), does not work.

Then I tried to use SSH tunneling,

workmachine# ssh -L5650:localhost:5650 b3hostname

and

b3# ssh -L5650:localhost:22 webserverhost (ip is 192.168.1.2)

(opened port 5650 on b3 firewall)

When I try ssh -p 5650 localhost I get "ssh_exchange_identification: Connection closed by remote host"

I can get to my webserver from my B3 but copying files with SCP is not that convenient. Any ideas how to make this work, should not be difficult, I'm just missing the obvious I hope.

[Gordon]

Need two rules in the firewall:

Code: Select all

## Adds a portforwarding rule
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport <ext_port> \
   --to-destination <webserver>:22

## Actually allow traffic to pass that way
# iptables -A FORWARD -i eth0 -o br0 -p tcp -m tcp -d <webserver> --dport 22 -j ACCEPT

[Nrde]

Thanks Gordon,

I'm putting that to /etc/networking/firewall.conf but when I try to "restore" the rules I get "failed at line 63"

line 63 contains
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3022 --to-destination 192.168.1.2:22

Sorry for being a noob, but...
- is that the correct file and
- should I remove the hash character in the front of the line?

[Gordon]

I'm sorry, my bad. I forgot to write down the target

This is the correct line:

Code: Select all

## Adds a portforwarding rule
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport <ext_port> \
   -j DNAT --to-destination <webserver>:22

## Actually allow traffic to pass that way
# iptables -A FORWARD -i eth0 -o br0 -p tcp -m tcp -d <webserver> --dport 22 -j ACCEPT

[Nrde]

Still the same error message when restoring the rules.

[Gordon]

Hmmm, that's strange...

Although I did make quite a few changes to the original setup. Can you verify that "/lib/modules/2.6.38/kernel/net/ipv4/netfilter/iptable_nat.ko" exists? Or just try

Code: Select all

# modprobe iptable_nat

[Nrde]

Hmmm, that's strange...

Although I did make quite a few changes to the original setup. Can you verify that "/lib/modules/2.6.38/kernel/net/ipv4/netfilter/iptable_nat.ko" exists? Or just try

Code: Select all

# modprobe iptable_nat

Yes it does exist, but the modprobe command does not do anything.

[Gordon]

Yes it does exist, but the modprobe command does not do anything.

That's okay - it means the module is already loaded.

I'm not sure what could be wrong - if I type the command at the prompt the rule gets added without issue. So let's recap with your values:

Code: Select all

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3022 \
   -j DNAT --to-destination 192.168.1.2:22

iptables -A FORWARD -i eth0 -o br0 -p tcp -m tcp -d 192.168.1.2 --dport 22 -j ACCEPT

Hold on - I think I'm seeing what's wrong here. You say you added these lines to the firewall.conf file but you can't do that. The lines I specified here are the raw commands and need some polishing if you want to manually add these to firewall.conf. What you need to do is drop "iptables" in both commands and also "-t nat" in the first line. Put the first line (starting from "-A") in the section that starts with *nat and the second line (same) in the section that starts with "*filter". If this sounds too complicated just enter the rules at the command prompt and if you're happy with the result do a "iptables-save > /etc/network/firewall.conf"

[Nrde]

Thanks again,

I copy pasted as a root to command line, the web interface displays port 3022 to be riderected to port 22 of my webserver.

However trying to connect from work with ssh -p 3022 myb3-ip does not work...

How can I see what rules iptables is actually using, maybe there's something left from previous attempts?

[Gordon]

Did you add both lines?

Also, as I am referring to my own B3 I may have made the wrong assumption that you have a WiFi enabled B3. If yours does not have WiFi you need to change the outgoing interface br0 to eth1.

Troubleshooting netfilter is not real easy. Afaik there's no debug option. You could possibly prepend rules with the same filters but a LOG target - this would allow you to verify that the rule can actually be reached and that the filters match. Something else you can do is install and run tcpdump on the B3's LAN interface to see if traffic is being generated when you try to connect. Note that any problem may not be in how the B3 is configured, but also depends on how your webserver responds to incoming packets.e.g. does your webserver use the B3 as its default router?