Can someone please verify if I have my iptables setup properly?
I am attempting to nat 443 to 22, so I can connect from work.
I followed the tutorial on the macsat site, as well as Oleg's custom firmware page. About the only that is differnet from the macsat tutorial is listening for 443 and sending it to 22. I then added in --syn based on Oleg's script.

I am saving to disk using flashfs and flashfs commit and flashfs enable so I know it is remaning through the reboot.
Attempting to connect using putty from a remote machine times out.

below is the /usr/local/sbin/post-firewall script.

#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 443 -j DNAT --to-destination $4:22
iptables -A INPUT -j DROP


below is iptable -L -vn -t nat output (I substitutied .xxx.xxx for my protection)
The xbox UpnP (3074) can be ignored.


[tokyoturnip@(none) root]$ iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 106 packets, 10096 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 68.50.xxx.xxx udp dpt:3074 to:192.168.1.21:3074
0 0 NETMAP udp -- * * 0.0.0.0/0 68.50.xxx.xxx udp spt:6112 192.168.1.0/24
3 144 DNAT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.1:22

Chain POSTROUTING (policy ACCEPT 67 packets, 4064 bytes)
pkts bytes target prot opt in out source destination
0 0 NETMAP udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpt:6112 68.50.240.143/32
42 2735 MASQUERADE all -- * vlan1 !68.50.xxx.xxx 0.0.0.0/0
10 1184 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT 77 packets, 5248 bytes)
pkts bytes target prot opt in out source destination



Any help would be apprecited.
Since we are on the subject of SSH, where is the dropbear configuration file to deny root login access and force public key usage?

Thanks Oleg and many others on this forum

tokyoturnip

One thing I did confirm is if I add
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
in addition to
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
that I can actually connect to 443 successfully.
if I remove
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
then I am no longer able to connect to 443.
Maybe I am just not understanding how the ports are bridged on the interfaces of the router.:confused:

Any one know why I need to accept INPUT for port 22 as well as 443, just so I can port forward 443 to 192.168.1.1:22 ? I do not wish to keep dropbear on standard port.

tokyoturnip

I was confused and in the openssh mindset of thinking that there was a configuration file for dropbear. Through reading the forums I found that I needed to start dropbear with the -p switch and specify the port. I added this switch as well as -s to the post-boot script. Additionally I changed my post-firewall script to just allow port 443 without worrying about the natting.

Thanks all for all the great information in the forum.

tokyoturnip

Hi tokyoturnip,

I tried to do the same but it is still not working. Could you please post your scripts: /usr/local/sbin/post-boot, /usr/local/sbin/post-firewall

Thanks in advance,
Pearl

I've got it working like tokyoturnip wanted.

Here is my post-firewall:



#!/bin/sh
/usr/sbin/iptables -t nat -I PREROUTING 1 -i $1 -p tcp --dport 443 -j DNAT --to $4:22
/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT


Note that I use a '1' after the -I option to move the rule to the top of the table.

The post-boot is pretty standard:



#!/bin/sh
mount /dev/scsi/host0/bus0/target0/lun0/part1 /opt
/usr/sbin/smbd -D
/usr/sbin/nmbd -D
dropbear


Hope this works for you too.