iptables driving me mental
Hi I am trying to do port forwarding to another machine. It just hangs when I ssh to it. Here are the lines I am using iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.10.106 --dport 41122 -j DNAT --to-destination 192.168.10.186:22 iptables -A FORWARD -d 192.168.10.186 --dport 22 -j ACCEPT echo > 1 /proc/sys/net/ipv4/ip_forward The line to connect is: ssh -p 41122 root@192.168.10.106 and it just times out. I can ssh individually to 192.168.10.106 and to 192.168.10.186 and when I use tcpdump it seems to show that it is looking for the right machines. When I do an nmap from a different machine it shows the port 41122 as filtered not open. What am I doing wrong - I have tried just about everything. Frustratingly yours Simon Moore
Hi Simon, On Wed, 25 Aug 2004 14:29:10 +0100 UTC (8/25/2004, 8:29 AM -0500 UTC my time), Simon Moore trunco scripsit: S> ssh -p 41122 root@192.168.10.106 and it just times out. I can ssh S> individually to 192.168.10.106 and to 192.168.10.186 and when I use S> tcpdump it seems to show that it is looking for the right machines. For security reasons, you cannot SSH as root. SSH as a user, then if needed su to root. -- Gary
On Wednesday 25 August 2004 09:42 am, Gary wrote:
Hi Simon,
On Wed, 25 Aug 2004 14:29:10 +0100 UTC (8/25/2004, 8:29 AM -0500 UTC my time), Simon Moore trunco scripsit:
S> ssh -p 41122 root@192.168.10.106 and it just times out. I can ssh S> individually to 192.168.10.106 and to 192.168.10.186 and when I use S> tcpdump it seems to show that it is looking for the right machines.
For security reasons, you cannot SSH as root. SSH as a user, then if needed su to root.
-- Gary
Eh?? I do it all the time.... and the only thing I change in the SUSE setup is the port number..... I think the default for 9.1 (and for ssh in general) is #PermitRootLogin yes -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 08/25/04 09:50 + +----------------------------------------------------------------------------+ "Since a politician never believes what he says, he is surprised when others believe him." - Charles de Gaulle
Hi Bruce, On Wed, 25 Aug 2004 09:52:15 -0400 UTC (8/25/2004, 8:52 AM -0500 UTC my time), Bruce Marshall trunco scripsit:
For security reasons, you cannot SSH as root. SSH as a user, then if needed su to root.
-- Gary
B> Eh?? I do it all the time.... and the only thing I change in the SUSE B> setup is the port number..... I think the default for 9.1 (and for ssh in B> general) is B> #PermitRootLogin yes Yes, that is what must be changed (uncommented out), otherwise, he would not be able to get in as root. What I meant was that by default, he could not get in as root. Personally, I too have changed the port number. -- Gary
On Wednesday 25 August 2004 06:57, Gary wrote:
On Wed, 25 Aug 2004 09:52:15 -0400 UTC (8/25/2004, 8:52 AM -0500 UTC my time), Bruce Marshall trunco scripsit: B> #PermitRootLogin yes
Yes, that is what must be changed (uncommented out), otherwise, he would not be able to get in as root. What I meant was that by default, he could not get in as root. Personally, I too have changed the port number.
The commented entries in sshd_config are the defaults. From the sshd_config man page: PermitRootLogin Specifies whether root can login using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only” or “no”. The default is “yes”. Besides, if root login is not permitted, the symptom is not a timeout as described in the OP. Michael
On Wednesday 25 August 2004 15:57, Gary wrote:
Hi Bruce,
On Wed, 25 Aug 2004 09:52:15 -0400 UTC (8/25/2004, 8:52 AM -0500 UTC my
time), Bruce Marshall trunco scripsit:
For security reasons, you cannot SSH as root. SSH as a user, then if needed su to root.
-- Gary
B> Eh?? I do it all the time.... and the only thing I change in the SUSE B> setup is the port number..... I think the default for 9.1 (and for ssh in B> general) is
B> #PermitRootLogin yes
Yes, that is what must be changed (uncommented out), otherwise, he would not be able to get in as root. What I meant was that by default, he could not get in as root. Personally, I too have changed the port number.
Since he can ssh by going directly to the destination machine, this is unlikely to be the problem I suspect the problem is that he has forgotten to do masquerading. Without that, the connection will be very confused. The machine will send tcp packets to one machine but receive replies from another. iptables -t nat -A POSTROUTING -d 192.168.10.186 -j MASQUERADE would be one try
Hi Anders, On Wed, 25 Aug 2004 16:17:04 +0200 UTC (8/25/2004, 9:17 AM -0500 UTC my time), Anders Johansson trunco scripsit: A> Since he can ssh by going directly to the destination machine, this is A> unlikely to be the problem right... I assumed he could get in the destination box as a normal user, but not as root. I read through initial email too quickly. A> I suspect the problem is that he has forgotten to do masquerading. Without A> that, the connection will be very confused. The machine will send tcp packets A> to one machine but receive replies from another. A> iptables -t nat -A POSTROUTING -d 192.168.10.186 -j MASQUERADE Excellent point, agreed.. -- Gary
On Wednesday 25 August 2004 09:57 am, Gary wrote:
Hi Bruce,
On Wed, 25 Aug 2004 09:52:15 -0400 UTC (8/25/2004, 8:52 AM -0500 UTC my
time), Bruce Marshall trunco scripsit:
For security reasons, you cannot SSH as root. SSH as a user, then if needed su to root.
-- Gary
B> Eh?? I do it all the time.... and the only thing I change in the SUSE B> setup is the port number..... I think the default for 9.1 (and for ssh in B> general) is
B> #PermitRootLogin yes
Yes, that is what must be changed (uncommented out), otherwise, he would not be able to get in as root. What I meant was that by default, he could not get in as root. Personally, I too have changed the port number.
-- Gary
I believe the fact that it is commented out like that is showing what the *default* is..... I have not uncommented it, and I can login as root. # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 08/25/04 10:30 + +----------------------------------------------------------------------------+ "If work is so terrific, how come they have to pay you to do it?"
Hi Bruce, On Wed, 25 Aug 2004 10:32:02 -0400 UTC (8/25/2004, 9:32 AM -0500 UTC my time), Bruce Marshall trunco scripsit: B> I believe the fact that it is commented out like that is showing what the B> *default* is..... I have not uncommented it, and I can login as root. B> # The strategy used for options in the default sshd_config shipped with B> # OpenSSH is to specify options with their default value where B> # possible, but leave them commented. Uncommented options change a B> # default value. Yes, you and Michael are correct now that you mention it... I have not looked at the SUSE SSH file in a very long time, as I mainly use SSH with a FreeBSD server, and have not configured it (in either OS) in awhile. I had forgotten this. Thanks for the correction. That's what happens when you get rusty!!! -- Gary
Hi Bruce, On Wed, 25 Aug 2004 09:46:20 -0500 UTC (8/25/2004, 9:46 AM -0500 UTC my time), Gary trunco scripsit: B>> # The strategy used for options in the default sshd_config shipped with B>> # OpenSSH is to specify options with their default value where B>> # possible, but leave them commented. Uncommented options change a B>> # default value. G> Yes, you and Michael are correct now that you mention it... I have not G> looked at the SUSE SSH file in a very long time, as I mainly use SSH with a G> FreeBSD server, and have not configured it (in either OS) in awhile. I had G> forgotten this. Thanks for the correction. That's what happens when you get G> rusty!!! as an afterthought, what threw me here, is the default for FreeBSD is to deny into root from SSH. Interesting comparison. -- Gary
Simon wrote regarding '[SLE] iptables driving me mental' on Wed, Aug 25 at 08:33:
Hi
I am trying to do port forwarding to another machine. It just hangs when I ssh to it. Here are the lines I am using
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.10.106 --dport 41122 -j DNAT --to-destination 192.168.10.186:22
iptables -A FORWARD -d 192.168.10.186 --dport 22 -j ACCEPT
echo > 1 /proc/sys/net/ipv4/ip_forward
The line to connect is:
ssh -p 41122 root@192.168.10.106 and it just times out. I can ssh individually to 192.168.10.106 and to 192.168.10.186 and when I use tcpdump it seems to show that it is looking for the right machines.
When I do an nmap from a different machine it shows the port 41122 as filtered not open.
What am I doing wrong - I have tried just about everything.
Is incoming port 41122 and outgoing port 22 accepted? It sounds like the incoming port 22 is dropping the packet... iptables -I INPUT -i eth0 -p tcp -d 192.168.10.106 --dport 41122 -j ACCEPT and maybe iptables -I OUTPUT -p tcp -d 192.168.10.186 --dport 22 -j ACCEPT Look at the output of "iptables -L" & "iptables -L -t nat" and see if there are any rules that might be dropping the packet at other points. I'm betting that the default rule on the INPUT chain is DROP, though. If you're seeing the connection on 192.168.10.106's syslog, but it times uot anyway, you have a routing problem. 192.168.10.186 needs to be the default route (for return packets) in order for the NAT to work. If it isn't the default route, you'll have to put in an SNAT rule on .186 as well. Post back if that's the case. :) --Danny
participants (7)
-
Anders Johansson
-
Bruce Marshall
-
Danny Sauer
-
Gary
-
Gary
-
Michael Siefritz
-
Simon Moore