Forward 23 => 22, connection refused (OpenBSD & Debian)

kmself Wed, 07 Feb 2001 19:15:37 -0600

I'm trying to forward port 23 (telnet) on my firewall to 22 (ssh) on my
workstation.  Getting around some outbound traffic filtering issues.


However, when I attempt to connect to this interface, I'm getting
"connection refused".

The boxen in question are firewall: OpenBSD running ipf (firewall) and ipnat
(masquerade/NAT), and workstation:  Debian, no filters or masq.

I'm trying to figure out where the stoppage is occuring, it's a bit hard
to work that out.  I'd appreciate any suggestions in troubleshooting the
problem.  I *think* I've configured my forwarding and filtering rules to
let this happen, but it seems it's not.  I'm suspecting tcpwrappers on
the GNU/Linux side, but can't work out whether or why that would be
happening.  No logs on either the firewall or the GNU/Linux box appear
to be updating as the refusals appear (I'm trying to connect _from_ the
workstation _to_ the external network IP of the firewall right now).

OpenBSD ipf.rules
Line 89 should open up telnet for forwarding.
------------------------------------------------------------------------
     1  ############################################################
     2  # Firewalling rules
     3  ############################################################
     4  
     5  # Default policies
     6  block in log all
     7  pass out all
     8  
     9  # Pass internal traffic
    10  pass in quick on lo0 all
    11  pass in on dc0 all
    12  
    13  
    14  # Don't allow spoofing of internal addresses:
    15  
    16  # ...unroutables
    17  block in log quick on tun0 from 0.0.0.0/32 to any
    18  block in log quick on tun0 from 255.255.255.255/32 to any
    19  block in log quick on tun0 from 127.0.0.0/8 to any
    20  
    21  block in log quick on tun0 from any to 0.0.0.0/32
    22  block in log quick on tun0 from any to 255.255.255.255/32
    23  block in log quick on tun0 from any to 127.0.0.0/8
    24  
    25  # ...internal networks
    26  block in log quick on tun0 from 10.0.0.0/8 to any
    27  block in log quick on tun0 from 172.16.0.0/12 to any
    28  block in log quick on tun0 from 192.168.0.0/16 to any
    29  
    30  
    31  # drop itsy bitsy frags
    32  block in log quick proto tcp all with short
    33  
    34  
    35  # drop packets with options (especially if they're under water)
    36  block in log quick all with opt lsrr
    37  block in log quick all with opt ssrr
    38  
    39  
    40  # allow certain classes of ICMP
    41  pass in quick on tun0 proto icmp all icmp-type 0
    42  pass in quick on tun0 proto icmp all icmp-type 3
    43  # ...Jury's out on icmp-type 8.
    44  # pass in quick on tun0 proto icmp all icmp-type 8
    45  pass in quick on tun0 proto icmp all icmp-type 11
    46  
    47  
    48  # DNS -- nameservers
    49  pass in quick on tun0 proto tcp/udp from 206.214.98.33 port = 53 to any 
    50  pass in quick on tun0 proto tcp/udp from 206.214.98.34 port = 53 to any 
    51  
    52  
    53  
    54  # prevent outside machines from initiating TCP connections to machines
    55  # within our network
    56  block in  log on tun0 proto tcp all flags S/SA
    57  block out log on tun0 proto tcp all flags SA/SA
    58  
    59  # allow inbound ssh and mail connections
    60  pass in quick on tun0 proto tcp from any to any port = 22 flags S/SA 
keep state
    61  pass in quick on tun0 proto tcp from any to any port = 25 flags S/SA 
keep state
    62  
    63  pass in quick on dc0 proto tcp from any to any port = 22 flags S/SA 
keep state
    64  pass in quick on dc0 proto tcp from any to any port = 25 flags S/SA 
keep state
    65  
    66  
    67  # allow return packets from connection we initiated
    68  pass out on tun0 proto tcp all keep state
    69  pass out on dc0 proto tcp all keep state
    70  
    71  # REJECT auth connections for fast SMTP handshake
    72  block return-rst in quick on tun0 proto tcp from any to any port = 113
    73  
    74  
    75  
#########################################################################
    76  # Additional lock-down rules
    77  
    78  # OK, ppp connection
    79  block in on tun0 proto tcp from any to any port 0 >< 1024
    80  
    81  # daytime, time, finger, sunrpc, and squid
    82  pass in on tun0 proto tcp from any to any port = 22     # ssh
    83  pass in on tun0 proto tcp from any to any port = 25     # SMPT
    84  pass in on tun0 proto tcp from any to any port = 80     # http
    85  pass in on tun0 proto tcp from any to any port = 443    # https
    86  
    87  # ...and, whilst in Oz, 23, to forward to navel:22.
    88  # KMSelf Wed Feb  7 01:38:06 PST 2001
    89  pass in on tun0 proto tcp from any to any port = 23     # telnet
    90  
    91  block in on tun0 proto tcp from any to any port = 3128  # squid
    92  
    93  # If you want to run mail (SMTP) services, uncomment:
    94  # pass in on ppp0 proto tcp from any to any port = 25
    95  # block in quick on ppp0 proto tcp from any to any port = 113
    96  
    97  # Block:  X / VNC / NFS / SMB
    98  block in quick on tun0 proto tcp from any to any port 5999 >< 6065 # X
    99  block in quick on tun0 proto tcp from any to any port 5899 >< 5911 # VNC
   100  block in quick on tun0 proto tcp from any to any port = 2049       # NFS
   101  block in quick on tun0 proto tcp from any to any port 136 >< 140   # SMB
------------------------------------------------------------------------

OpenBSD ipnat.rules
Line 11 should be forwarding telnet to ssh.
------------------------------------------------------------------------
     1  # $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
     2  #
     3  # See /usr/share/ipf/nat.1 for examples.
     4  # edit the ipnat= line in /etc/rc.conf to enable Network Address 
Translation
     5  
     6  # Forward incoming ssh and http to navel
     7  rdr tun0 0/0 port 22 -> 192.168.0.32 port 22 
     8  rdr tun0 0/0 port 80 -> 192.168.0.32 port 80 
     9  
    10  # ...and, whilst in Oz, 23 to navel:22
    11  rdr tun0 0/0 port 23 -> 192.168.0.32 port 22 
    12  
    13  # Gnapster
    14  rdr tun0 0/0 port 6699 -> 192.168.0.32 port 6699 
    15  
    16  # Transparent web cache
    17  map dc0 192.168.0.1/32 -> 0/32 # FW -> world
    18  rdr dc0 0.0.0.0/0 port 80 -> 192.168.0.1 port 8080   # clients -> proxy
    19  
    20  # Dynamic PPP mapping - "ipf -y" must be run with each new connection.
    21  map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:65000
    22  map tun0 192.168.0.0/24 -> 0/32                         # ICMP, etc.
    23  
    24  # uncomment for SMTP forwarding 
    25  # rdr tun0 <somehost>/32 port 25 -> 192.168.0.32/32 port 25
------------------------------------------------------------------------

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org

pgpLsmByGB931.pgp
Description: PGP signature

Forward 23 => 22, connection refused (OpenBSD & Debian)

Reply via email to