Hi,

I was playing with netfilter this weekend, when I decided to bind my sshd to localhost, and let netfilter redirect allowed trafic thru to localhost:22. This works now from the local box, but whenever I try to connect remotely, the connection times out...

Here's the stuff I did:


--[cut here]--------

root:/# cat > /dev/null << EOF
> ip1 == addr of eth0
> ip2 == addr of remote machine
> EOF
root:/# id
uid=0(root) gid=0(root) groups=0(root)
root:/# uname -a
Linux lacrima 2.4.4-work #1 Mon May 14 08:34:52 CEST 2001 i686 unknown
root:/# netstat -an|grep LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0: * LISTEN
tcp 0 0 127.0.0.1:22 0.0.0.0: * LISTEN
unix 2 [ ACC ] STREAM LISTENING 1295 /tmp/.X11-unix/X0
root:/# lsmod
Module Size Used by
root:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root:/# /sbin/iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root:/# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p1
quit
Protocol mismatch.
Connection closed by foreign host.
root:/# telnet ip1
Trying ip1...
telnet: Unable to connect to remote host: Connection refused
root:/# /sbin/iptables -A INPUT -p tcp -d 127.0.0.1 --dport 22 -j ACCEPT
root:/# /sbin/iptables -A INPUT -p udp -d 127.0.0.1 --dport 22 -j ACCEPT
root:/# /sbin/iptables -A FORWARD -p tcp -d 127.0.0.1 --dport 22 -j ACCEPT
root:/# /sbin/iptables -A FORWARD -p udp -d 127.0.0.1 --dport 22 -j ACCEPT
root:/# /sbin/iptables -t nat -A PREROUTING -p tcp -d ip1 --dport 22 -j DNAT --to 127.0.0.1:22
root:/# /sbin/iptables -t nat -A PREROUTING -p udp -d ip1 --dport 22 -j DNAT --to 127.0.0.1:22
root:/# /sbin/iptables -t nat -A OUTPUT -p tcp -d ip1 --dport 22 -j DNAT --to 127.0.0.1:22
root:/# /sbin/iptables -t nat -A OUTPUT -p udp -d ip1 --dport 22 -j DNAT --to 127.0.0.1:22
root:/# iptables -L -n -v
Chain INPUT (policy ACCEPT 173 packets, 24900 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 udp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 udp dpt:22

Chain OUTPUT (policy ACCEPT 18 packets, 1018 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 udp dpt:22

Chain OUTPUT (policy ACCEPT 18 packets, 1018 bytes)
pkts bytes target prot opt in out source destination
root:/# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 1494 packets, 210K bytes)
pkts bytes target prot opt in out source destination
4 256 DNAT tcp -- * * 0.0.0.0/0 ip1 tcp dpt:22 to:127.0.0.1:22
0 0 DNAT udp -- * * 0.0.0.0/0 ip1 udp dpt:22 to:127.0.0.1:22

Chain POSTROUTING (policy ACCEPT 93 packets, 5566 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 91 packets, 5446 bytes)
pkts bytes target prot opt in out source destination
2 120 DNAT tcp -- * * 0.0.0.0/0 ip1 tcp dpt:22 to:127.0.0.1:22
0 0 DNAT udp -- * * 0.0.0.0/0 ip1 udp dpt:22 to:127.0.0.1:22
root:/# lsmod
Module Size Used by
iptable_nat 14768 0 (autoclean) (unused)
ip_conntrack 13968 1 (autoclean) [iptable_nat]
iptable_filter 2080 0 (autoclean) (unused)
ip_tables 10368 4 [iptable_nat iptable_filter]
root:/# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p1
quit
Protocol mismatch.
Connection closed by foreign host.
root:/# telnet ip1 22
Trying ip1...
Connected to ip1.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p1
quit
Protocol mismatch.
Connection closed by foreign host.
root:/# ssh r3boot@ip2
r3boot@ip2's password:
Last login: Tue May 1 06:23:52 2001 from x.x.x.x
OpenBSD 2.8 (conf) #4: Mon Mar 5 13:58:44 CET 2001

$ telnet ip1 22
Trying ip1...
telnet: connect to address ip1: Connection timed out
$ Connection to ip2 closed.
root:/#

---[done cut]------

I've read the 2.4 packetfilter and NAT HOWTO's from rusty, and this _should_ do the trick....

Anybody have a clue to how to fix this?

thanks, Lex

Hi r3b00t,

As no one has attempted to try and answer your question on forwarding internally to your localhosted sshd. "no idea why you would even attempt to do this"

Anyway I haven't used netfilter "yet" but I think I can see a flaw in your chains.

The PREROUTING chain does filtering on packets before they hit the routing tables that sends them onwards to the INPUT/FORWARD/OUTPUT chains.

In your input chains you need to allow access to your IP address not the local address.

Also switch on logging, on all connections so you can see which filters accept the connections.

Just a tip,
Raz

In addition to that, the main thing is to NOT bind sshd to localhost, it can ONLY accept (listening to) traffic from localhost. No outside hosts may use localhost as a destination address in correct/legitimate traffic. (IANA stuff n such)

OTOH, if u wanna play u can try & setup a portforwarder on the external interface & see if u can bounce traffic off a port to reach localhost :-]