This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ssh nat

hi there,
i´ve got an ssh server behind an asl 5 wich is reachable via nat.

ssh -> external int. ASL --nat--> ssh-server

the problem is, that i cannot start the sshd on the ASL, because i redirect all ssh packets to the internal server.
how can i change the port the ssh server is listening on?
is changing the port in /etc/ssh/sshd_config rifht?
if yes, how do i setup the corresponding opacket filter rules?
thx k33n.

This thread was automatically locked due to age.

Parents

0 mdallagi over 20 years ago

Hi,

Why don't you change the internal sshd server?
Then you can publish the internal server on port 222?

Or, you can use DNAT by using external port 222 and redirect it to internal ssh server (22)

Bye...
Cancel
Vote Up 0 Vote Down

Cancel
0 bagira over 20 years ago in reply to mdallagi

k33n,
if you want to DNAT your SSH port, you also have to create a packet filter for your internal SSH server like >. If you change the SSH port of ASL (/etc/ssh/sshd_config) you have to create a packet filter allowing the source (e.g. ANY) to the external interface, port the_new_defined_ssh_port.
/bagira
Cancel
Vote Up 0 Vote Down

Cancel
0 k33n over 20 years ago in reply to bagira

hi,
i have a dnat rule.
i have a packet filter which allows connections to the internal ssh server.
i have changed /etc/sshd_conf to Port 2222
i have a packetfilter rule which allows all from my ip to any , any service.(my ip is my laptop)

but i still get a drop in the logfile.
08:54:54 my.ip.address 1222 -> ext.interface.address 2222 TCP 48 124 DF WINDOW=65535 RES=0x00 SYN URGP=0

and a connection to the ASL times out.

any hints?

thx k33n
Cancel
Vote Up 0 Vote Down

Cancel
0 mdallagi over 20 years ago in reply to k33n

Can you post the USR_FORWARD chain of packet filter rules and the USR_PRE chain of NAT rules?
Cancel
Vote Up 0 Vote Down

Cancel
0 k33n over 20 years ago in reply to mdallagi

here it is.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 k33n over 20 years ago in reply to mdallagi

here it is.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 mdallagi over 20 years ago in reply to k33n

It's better that you leave the sshd_conf of ASL as default.
There is no way to change (via GUI) the settings of ASL ssh server.
If you abosolutely want to change this beaviour you must to correct the AUTO_INPUT chain,
but I think it's not a correct method.

Instead, you can choose one of these:

a) Modify both the internal ssh server port and the port used by the client
that connects to the internal server,
b) Modify only the port used by the client.

If you choose a), configure the internal server to use port 2222.
Then on the ASL, define the DNAT and packet filter rules like these:

USR_FORWARD:
.... 217.91.102.170  192.168.40.1    tcp dpt:2222 # access to int. ssh server
.... 193.174.61.68   192.168.40.1       tcp dpt:2222 # access to int. ssh server

USR_PRE:
.... 0.0.0.0/0 "external ip"       tcp dpt:2222 to:192.168.40.1

If you choose b) you must use port 2222 only on client but you must define the rules
like these:

USR_FORWARD:
.... 217.91.102.170  192.168.40.1    tcp dpt:22 # access to int. ssh server
.... 193.174.61.68   192.168.40.1       tcp dpt:22 # access to int. ssh server

USR_PRE:
.... 0.0.0.0/0 "external ip"       tcp dpt:2222 to:192.168.40.1:22
Cancel
Vote Up 0 Vote Down

Cancel
0 k33n over 20 years ago in reply to mdallagi

ok, i think i will ask the client to change his ssh port.

thanks for your help
Cancel
Vote Up 0 Vote Down

Cancel
0 k33n over 20 years ago in reply to k33n

the problem is solved.
1. change the ssh port in /etc/ssh/sshd_conf : port 2222
2. add a rule in packetfilter:
    from: any
    service: 2222
    destination: External Address (this is important don't use any        here)

thats all.

k33n
Cancel
Vote Up 0 Vote Down

Cancel