Hi,

I'm trying to forward a port for SSH connection through firewall to a computer in my LAN.

Example: If someone would want to connect to a specific computer in my LAN he would connect to my firewall port 22222 and be forwarded to the computers port 22.

I tried
iptables -A FORWARD -i $EXTIF -p tcp --dport 22222 -m state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $EXTIF --dport 22222 -j DNAT --to $SSHIP:22

EXTIF=external interface
SSHIP=computer in the LAN I wish to establish connection with

When I do ssh -p 22222 my.firewall.ip.address the connection is not established and there is no error message. Anyone care to tell me what I'm doing wrong?

Thanks,
Haseldow

Try this (http://www.linuxnewbie.org/forum/showthread.php?s=&threadid=68573)

Thanks...so the problem was with -d $EXTIF which sould have been -i $EXTIF (or -d $EXTIP [external ip number of firewall]) in:

iptables -A PREROUTING -t nat -p tcp -d $EXTIF --dport 22222 -j DNAT --to $SSHIP:22

-d is for destination IP number
-i is for interface

Just posted so if anyone reading this thread was left wondering.

-Haseldow

Okay I pulled your leg. I was at work when I posted and had no chance to doublecheck. Sorry... :o

So here is the real and working version (tested):
$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $SSH_HOST --dport 22 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 2222 -j DNAT --to $SSH_HOST:22

EXTIF=external interface
SSH_HOST=host you want to connect to


Altho you will get:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
If you're connecting from the outside to both your firewall and the box you use the port forwarding to (not necessarily to both at the same time).

This is dou to the fact that the RSA host key (in ~/.ssh/known_hosts) is stored using the IP of the host and has no reference for port. So when you first connect to your home (be it firewall or the box you have a port forwarding to) and accept the host key, it is stored in known_hosts. Next time you connect to the other box it gives the warning and you have to delete the line in known_hosts to be able to log in the other box.

And if you delete the RSA key evey time you connect to the other box it makes RSA keys quite meaningless.

Anyone got a solution for this?

Regards,
Haseldow

Ps. Sorry for the dual thread thingie... :( I would have put this post in the thread mychl pointed out two posts earlier, but that would have left this thread unfinished/unsolved and someone could have got false information :rolleyes:

Never mind :D

All you have to do is copy your /etc/ssh/ssh_host_* files from one box to another (same location) and doing chmod 600 for ssh_host_dsa_key, ssh_host_key and ssh_host_rsa_key.

Maybe there's a better answer but this adequate enough for me. Too tired to try anything else.

Sorry and good night :p

-Haseldow

Good work, thanks for the info.....

if you can't get the sys admin to do that on all the computers in the network that you're ssh-ing into, you can create on your computer that isn't letting you connect because of the diff keys a bypass config file by:

# cd /home/<username>/.ssh/
# pico config

enter this line:

StrctHostKeyChecking no

ctr-x and Y to save

worked for me, one of my old hosts had cluster servers that would change the host key every time I logged in because I'd get a diff computer each time and they wouldn't copy the indentity across all the computers so I had to weaken the security on my home ssh with that config file or else I couldn't ssh in.