Access my box from internet ? CISCO + firewall

johnecobo · 12-10-2002, 12:16 PM

I am hoping to be able to access my RedHat 8.0 box from out in the internet. I have assembled many pieces of what I think I need, but as of yet with no success. I am using a CISCO 803 ISDN router fine for access out from the box to the net.

The pieces I have are:
+ Firestarter to set up my local firewall
+ some rules added to the router which I hoped would forward SSH, VNC, and FTP through the router to my server. I am not sure if this is working !
+ an account at www.no-ip.com providing an IP address which does seem to work
+ Virtual Network Server installed and working

I can ping my no-ip address and get a result.
I can telnet to my no-ip address and sign on to my CISCO router
I can SSH and VNC to my server from other machines on my internal network

When attempting SSH to my no-ip address I get 'Connection Refused'. I am not sure if this is my boxes firewall or the router not forwarding the message. Any idea how I can tell ?

Output from IPTABLES -L
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
ACCEPT tcp -- forums.surfanytime.co.uk anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- forums.surfanytime.co.uk anywhere
ACCEPT tcp -- 212-127-28-44.concert.net anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- 212-127-28-44.concert.net anywhere
ACCEPT tcp -- anywhere 192.168.0.0/24 tcp dpt:5901
ACCEPT udp -- anywhere 192.168.0.0/24 udp dpt:5901
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere 192.168.0.0/24 limit: avg 1/sec burst 5
LD all -- 1.0.0.0/8 192.168.0.0/24
LD all -- 2.0.0.0/8 192.168.0.0/24
LD all -- 5.0.0.0/8 192.168.0.0/24
LD all -- 7.0.0.0/8 192.168.0.0/24
LD all -- 23.0.0.0/8 192.168.0.0/24
LD all -- 27.0.0.0/8 192.168.0.0/24
LD all -- 31.0.0.0/8 192.168.0.0/24
LD all -- 36.0.0.0/8 192.168.0.0/24
LD all -- 37.0.0.0/8 192.168.0.0/24
LD all -- 39.0.0.0/8 192.168.0.0/24
LD all -- 41.0.0.0/8 192.168.0.0/24
LD all -- 42.0.0.0/8 192.168.0.0/24
LD all -- 58.0.0.0/8 192.168.0.0/24
LD all -- 59.0.0.0/8 192.168.0.0/24
LD all -- 60.0.0.0/8 192.168.0.0/24
LD all -- 69.0.0.0/8 192.168.0.0/24
LD all -- 70.0.0.0/8 192.168.0.0/24
LD all -- 71.0.0.0/8 192.168.0.0/24
LD all -- 72.0.0.0/8 192.168.0.0/24
LD all -- 73.0.0.0/8 192.168.0.0/24
LD all -- 74.0.0.0/8 192.168.0.0/24
LD all -- 75.0.0.0/8 192.168.0.0/24
LD all -- 76.0.0.0/8 192.168.0.0/24
LD all -- 77.0.0.0/8 192.168.0.0/24
LD all -- 78.0.0.0/8 192.168.0.0/24
LD all -- 79.0.0.0/8 192.168.0.0/24
LD all -- 82.0.0.0/8 192.168.0.0/24
LD all -- 83.0.0.0/8 192.168.0.0/24
LD all -- 84.0.0.0/8 192.168.0.0/24
LD all -- 85.0.0.0/8 192.168.0.0/24
LD all -- 86.0.0.0/8 192.168.0.0/24
LD all -- 87.0.0.0/8 192.168.0.0/24
LD all -- 88.0.0.0/8 192.168.0.0/24
LD all -- 89.0.0.0/8 192.168.0.0/24
LD all -- 90.0.0.0/8 192.168.0.0/24
LD all -- 91.0.0.0/8 192.168.0.0/24
LD all -- 92.0.0.0/8 192.168.0.0/24
LD all -- 93.0.0.0/8 192.168.0.0/24
LD all -- 94.0.0.0/8 192.168.0.0/24
LD all -- 95.0.0.0/8 192.168.0.0/24
LD all -- 96.0.0.0/8 192.168.0.0/24
LD all -- 97.0.0.0/8 192.168.0.0/24
LD all -- 98.0.0.0/8 192.168.0.0/24
LD all -- 99.0.0.0/8 192.168.0.0/24
LD all -- 100.0.0.0/8 192.168.0.0/24
LD all -- 101.0.0.0/8 192.168.0.0/24
LD all -- 102.0.0.0/8 192.168.0.0/24
LD all -- 103.0.0.0/8 192.168.0.0/24
LD all -- 104.0.0.0/8 192.168.0.0/24
LD all -- 105.0.0.0/8 192.168.0.0/24
LD all -- 106.0.0.0/8 192.168.0.0/24
LD all -- 107.0.0.0/8 192.168.0.0/24
LD all -- 108.0.0.0/8 192.168.0.0/24
LD all -- 109.0.0.0/8 192.168.0.0/24
LD all -- 110.0.0.0/8 192.168.0.0/24
LD all -- 111.0.0.0/8 192.168.0.0/24
LD all -- 112.0.0.0/8 192.168.0.0/24
LD all -- 113.0.0.0/8 192.168.0.0/24
LD all -- 114.0.0.0/8 192.168.0.0/24
LD all -- 115.0.0.0/8 192.168.0.0/24
LD all -- 116.0.0.0/8 192.168.0.0/24
LD all -- 117.0.0.0/8 192.168.0.0/24
LD all -- 118.0.0.0/8 192.168.0.0/24
LD all -- 119.0.0.0/8 192.168.0.0/24
LD all -- 120.0.0.0/8 192.168.0.0/24
LD all -- 121.0.0.0/8 192.168.0.0/24
LD all -- 122.0.0.0/8 192.168.0.0/24
LD all -- 123.0.0.0/8 192.168.0.0/24
LD all -- 124.0.0.0/8 192.168.0.0/24
LD all -- 125.0.0.0/8 192.168.0.0/24
LD all -- 126.0.0.0/8 192.168.0.0/24
LD all -- 128.66.0.0/16 192.168.0.0/24
LD all -- 172.16.0.0/12 192.168.0.0/24
LD all -- 197.0.0.0/8 192.168.0.0/24
LD all -- 221.0.0.0/8 192.168.0.0/24
LD all -- 222.0.0.0/8 192.168.0.0/24
LD all -- 223.0.0.0/8 192.168.0.0/24
LD all -- 240.0.0.0/4 192.168.0.0/24
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- anywhere 192.168.0.0/24 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- anywhere 192.168.0.0/24 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- anywhere 192.168.0.0/24 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- anywhere 192.168.0.0/24 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- anywhere 192.168.0.0/24 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- anywhere 192.168.0.0/24 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- anywhere 192.168.0.0/24 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
LD all -- anywhere anywhere state INVALID
LD all -f anywhere anywhere limit: avg 10/min burst 5
ACCEPT tcp -- anywhere 192.168.0.0/24 tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere 192.168.0.0/24 tcp dpt:ftp
ACCEPT tcp -- anywhere 192.168.0.0/24 tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.0.0/24 tcp dpt:http
LD tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
LD udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
LD tcp -- anywhere anywhere tcp dpt:microsoft-ds
LD udp -- anywhere anywhere udp dpt:microsoft-ds
LD tcp -- anywhere anywhere tcp dpt:nfs
LD udp -- anywhere anywhere udp dpt:nfs
LD tcp -- anywhere anywhere tcp dpts:x11:6015
LD udp -- anywhere anywhere udp dpts:6000:6015
LD tcp -- anywhere anywhere tcp dpts:bootps:bootpc
LD udp -- anywhere anywhere udp dpts:bootps:bootpc
LD tcp -- anywhere anywhere tcp dpt:5000
LD udp -- anywhere anywhere udp dpt:5000
LD tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:login:65535 flags:!SYN,RST,ACK/SYN state RELATED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:1023:65535 flags:!SYN,RST,ACK/SYN state RELATED
STATE tcp -- anywhere 192.168.0.0/24 tcp dpts:1024:65535
ACCEPT udp -- anywhere 192.168.0.0/24 udp dpts:1023:65535
LD all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- 192.168.0.0/24 anywhere udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- 192.168.0.0/24 anywhere udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 192.168.0.0/24 anywhere udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:135 limit: avg 2/min burst 5
LD udp -- 192.168.0.0/24 anywhere udp dpt:135 limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- 192.168.0.0/24 anywhere tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- 192.168.0.0/24 anywhere udp dpt:27444 limit: avg 2/min burst 5
LD udp -- 192.168.0.0/24 anywhere udp dpt:31335 limit: avg 2/min burst 5
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
all -- anywhere anywhere TTL match TTL == 64
ACCEPT icmp -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere anywhere

Chain LD (137 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Chain SANITY (0 references)
target prot opt source destination
LD all -- anywhere anywhere

Chain STATE (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LD all -- anywhere anywhere

Chain UNCLEAN (2 references)
target prot opt source destination
LD all -- anywhere anywhere

=====================================================

and an extract from 'run sh' on the router:
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 22 interface Dialer1 22
ip nat inside source static tcp 192.168.0.2 5901 interface Dialer1 5901
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
==============================================

Any ideas ? The part I understand the least is on the router port forwarding.

Thanks,

John

peter_robb · 12-11-2002, 03:59 PM

You should see your -j LOG records in /var/log/messages by default...
tail -f /var/log/messages
and watch the output for packets that are dropped by your rules...
Add some -j LOG rules in the nat table PREROUTING chain to watch them arrive
If the packets aren't getting to your pc, go back to the next device and watch the logs there...

I'd also suggest you have a quick read of this iptables tutorial. Your rules can mostly be accomodated by a simple reverse path filter in the kernel and a simple flood rule.