Need assistance in adding iptables command to allow port 22 from internet to internal LAN server (not clearos server). Other port forwarding rules are working, eg 8081, etc.
Share this post:
Responses (6)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
43894 3447K DNSthingyBP all -- * * 0.0.0.0/0 172.27.27.27
0 0 DROP all -- * * 129.232.191.147 0.0.0.0/0
0 0 DROP all -- * * 95.141.115.108 0.0.0.0/0
0 0 DROP all -- * * 185.165.29.78 0.0.0.0/0
0 0 DROP all -- * * 84.200.16.242 0.0.0.0/0
0 0 DROP all -- * * 111.90.139.247 0.0.0.0/0
1552 68273 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
323 26648 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- ens32 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- ens32.1041 * 127.0.0.0/8 0.0.0.0/0
140K 16M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
57077 10M ACCEPT all -- ens33 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- ens32 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- ens32 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- ens32 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- ens32 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- ens32 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- ens32 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
4785 139K ACCEPT icmp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
1 393 ACCEPT udp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:81
0 0 ACCEPT 47 -- * * 0.0.0.0/0 10.0.0.3
2 104 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:1723
0 0 ACCEPT udp -- ens32 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ens32 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
13531 1730K ACCEPT udp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
24292 35M ACCEPT tcp -- ens32.1041 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
24 1248 DROP all -- * * 129.232.191.147 0.0.0.0/0
0 0 DROP all -- * * 95.141.115.108 0.0.0.0/0
0 0 DROP all -- * * 185.165.29.78 0.0.0.0/0
0 0 DROP all -- * * 84.200.16.242 0.0.0.0/0
0 0 DROP all -- * * 111.90.139.247 0.0.0.0/0
26741 2451K ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:1883
0 0 ACCEPT udp -- * ens33 0.0.0.0/0 192.168.19.250 udp dpt:1883
696 41248 ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:22
373K 45M ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:443
1 44 ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:5984
241 14780 ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:80
6 264 ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:8081
2 88 ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:8082
3 132 ACCEPT tcp -- * ens33 0.0.0.0/0 192.168.19.250 tcp dpt:8090
2607K 3172M DNSthingyEST all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
41143 4492K DNSthingyIPE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ens33 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
0 0 DROP all -- * * 0.0.0.0/0 129.232.191.147
0 0 DROP all -- * * 0.0.0.0/0 95.141.115.108
0 0 DROP all -- * * 0.0.0.0/0 185.165.29.78
0 0 DROP all -- * * 0.0.0.0/0 84.200.16.242
0 0 DROP all -- * * 0.0.0.0/0 111.90.139.247
140K 16M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
101K 34M ACCEPT all -- * ens33 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * ens32 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * ens32 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * ens32 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
4908 152K ACCEPT icmp -- * ens32.1041 0.0.0.0/0 0.0.0.0/0
1 328 ACCEPT udp -- * ens32.1041 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * ens32.1041 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT tcp -- * ens32.1041 10.0.0.3 0.0.0.0/0 tcp spt:81
0 0 ACCEPT 47 -- * ens32.1041 10.0.0.3 0.0.0.0/0
2 80 ACCEPT tcp -- * ens32.1041 10.0.0.3 0.0.0.0/0 tcp spt:1723
0 0 ACCEPT all -- * ens32 0.0.0.0/0 0.0.0.0/0
36115 4796K ACCEPT all -- * ens32.1041 0.0.0.0/0 0.0.0.0/0
Chain DNSthingyBP (1 references)
pkts bytes target prot opt in out source destination
22093 2051K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,6373
21792 1395K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 reject-with tcp-reset
2 128 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
7 532 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain DNSthingyEST (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 216.239.38.21
0 0 DNSthingyREJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set dt_wa4 src
2607K 3172M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DNSthingyIPE (1 references)
pkts bytes target prot opt in out source destination
41143 4492K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain DNSthingyREJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
and
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 99940 packets, 8226K bytes)
pkts bytes target prot opt in out source destination
120K 9512K DNSthingy all -- * * 0.0.0.0/0 0.0.0.0/0
2279 146K DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:1883 to:192.168.19.250:1883
0 0 DNAT udp -- * * 0.0.0.0/0 10.0.0.3 udp dpt:1883 to:192.168.19.250:1883
254 14788 DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:22 to:192.168.19.250:22
12541 799K DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:443 to:192.168.19.250:443
1 44 DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:5984 to:192.168.19.250:5984
66 3300 DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:80 to:192.168.19.250:80
6 264 DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:8081 to:192.168.19.250:8081
2 88 DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:8082 to:192.168.19.250:8082
3 132 DNAT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:8090 to:192.168.19.250:8090
Chain INPUT (policy ACCEPT 34399 packets, 2292K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 52400 packets, 4175K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 83714 packets, 5440K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:1883 to:192.168.19.249
0 0 SNAT udp -- * * 192.168.16.0/22 192.168.19.250 udp dpt:1883 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:22 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:443 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:5984 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:80 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:8081 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:8082 to:192.168.19.249
0 0 SNAT tcp -- * * 192.168.16.0/22 192.168.19.250 tcp dpt:8090 to:192.168.19.249
47299 4677K MASQUERADE all -- * ens32.1041 0.0.0.0/0 0.0.0.0/0
Chain DNSthingy (1 references)
pkts bytes target prot opt in out source destination
1113 73482 DNAT udp -- ens33 * 0.0.0.0/0 !192.168.19.249 udp dpt:53 to:192.168.19.249:53
0 0 DNAT tcp -- ens33 * 0.0.0.0/0 !192.168.19.249 tcp dpt:53 to:192.168.19.249:53
3892 249K DNAT tcp -- * * 0.0.0.0/0 172.27.27.27 tcp dpt:80 to:172.27.27.27:6373
-
Accepted Answer
-
Accepted Answer
Thank you Nick, that is the exact problem I am having. I cannot get 2222 or 22 to work but have 6 other port forward rules working fine. I suspect something has gone wrong with the firewall rules.
May I ask your guidance in terms of me sending my firewall rule config to you, will f you could indicate what commands I should run for this information? -
Accepted Answer
Make sure the the Incoming firewall in ClearOS does not also open the port. If you have an external firewall, make sure it is not listening on port 22 as well. Note the ClearOS port forwarding also supports changing the port when forwarding so you can forward external 2222 to internal 22 if you want.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »