Port forwarding ssh with iptables

Question

Moved from stackoverflow...

My new Internet firewall, based on Linux iptables, is working in most regards very well, but the port forwarding does not work:

$ ssh -p 7022 [ppp0-ip-address]
ssh: connect to host [ppp0-ip-address] port 7022: Connection refused

Nothing is added to the debug syslog when I do this.

An nmap of the [ppp0-ip-address] shows only port 22 open, and specifically not port 7022.

I know that I'm missing something simple...

The rules are below. I'd appreciate any assistance.

Thanks,

Phil

The nat table:

$ iptables -n -v -L -t nat
Chain PREROUTING (policy ACCEPT 86 packets, 12277 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7022 to:192.168.1.24:22

Chain INPUT (policy ACCEPT 56 packets, 9997 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 100 packets, 7316 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 38 packets, 2760 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      ppp0    192.168.1.0/24       0.0.0.0/0

and the filter table:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  798  314K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    4  1312 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
 7975 1455K ACCEPT     all  --  eth0   *       192.168.1.0/24       0.0.0.0/0           
    0     0 accept-established  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 INPUT-external  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG-and-drop-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   38  2821 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 TRACE-ssh-fwd  tcp  --  ppp0   eth0    0.0.0.0/0            192.168.1.24         tcp dpt:22 state NEW
    9   468 LOG-and-drop-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  798  314K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 2046  492K OUTPUT-internal  all  --  *      eth0    0.0.0.0/0            192.168.1.0/24      
   92  6836 accept-established  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 OUTPUT-external  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
   92  6836 LOG-and-drop-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 remote-tcp-client  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535
    0     0 INPUT-icmp-external  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT-icmp-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG-and-drop-icmp-inex  all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4

Chain INPUT-internal (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG-and-drop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   468 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<FORWARD> "
    9   468 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-icmp-inex (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<ICMP-INEX> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-icmp-outex (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<ICMP-OUTEX> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<INPUT> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-invalid (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   400 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<INVALID> "
    5   400 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-out-int (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<OUT-INT> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   92  6836 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<OUTPUT> "
   92  6836 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 local-tcp-client  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123 state NEW
    0     0 OUTPUT-icmp-external  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT-icmp-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG-and-drop-icmp-outex  all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12

Chain OUTPUT-internal (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2046  492K accept-established  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG-and-drop-out-int  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain TRACE-ssh-fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<SSH-FWD> "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain accept-established (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 2041  491K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    5   400 LOG-and-drop-invalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

Chain local-tcp-client (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,80 tcpflags: 0x17/0x02 state NEW

Chain remote-tcp-client (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW multiport dports 22

Run tcpdump and see what happens. – Xavier Lucas May 10 '15 at 00:14 — Xavier Lucas, May 10 '15 at 00:14

score 1 · Answer 1 · edited Apr 13 '17 at 12:14

I have managed to diagnose my own problem.

The IPtables are fine. The problem was my understanding that I could not (as configured) test port forwarding of port 7022 on the external IP from the internal network.

The issue is covered quite well in the canonical answer to "hairpin NAT" which explains how to route an internal client through the FORWARD chain of the firewall and back to an internal server (and get the responses back via the same route):

Loopback to forwarded Public IP address from local network - Hairpin NAT

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html

Thank you to all who responded.

score 0 · Answer 2 · answered May 10 '15 at 04:59

0

You need to allow destination port 22 on the input chain, it's only on the forward chain.

answered May 10 '15 at 04:59

Radius

559
2
9

Port forwarding ssh with iptables

2 Answers2