Allowing Remote SSH Through a NAT Firewall
You want to open up remote SSH administration to your LAN so you can log in remotely and access various random LAN hosts. You have the OpenSSH server running on the machines you want to remotely administer, but there is a problem-they use nonroutable private IPs, so they are all source NAT-ed to the firewall IP address.
The simplest method uses any of the SSH rules (except, of course, the LAN-only rule) without requiring any changes. SSH into your firewall, then SSH from there into whatever LAN hosts you need to get into. Your sessions will look like this example, which demonstrates logging from a remote host into the firewall named windbag, and then opening an SSH session from windbag to stinkpad:
carla@remotehost:~$ ssh windbag.foo.net firstname.lastname@example.org's password: Linux windbag 2.6.12-10-386 #1 Mon Sep 28 12:13:15 UTC 2007 i686 GNU/Linux Last login: Mon Aug 21 17:07:24 2007 from foo-29.isp.net carla@windbag:~$ ssh stinkpad carla@stinkpad's password: Last login: Mon Sep 21 17:08:50 2007 from windbag.foo.net [carla@stinkpad ~]$
Using this method avoids the problem of having to write additional iptables rules.
What if you have users who need remote SSH access to their PCs, and you deem them worthy enough to have it? To use the two-step SSH login, they will need user accounts on the firewall, which you may not want to allow. To avoid this, you can set up port forwarding directly to LAN hosts. For example, you have host1 at 192.168.1.21, and host2 at 192.168.1.22. Your remote users are at 126.96.36.199 and 188.8.131.52. You accept remote SSH logins only from those IP addresses:
# allow email@example.com to ssh directly to work PC $ipt -t nat -A PREROUTING -i $WAN_IFACE -s 184.108.40.206 --sport 1024:65535 \ -p tcp --dport 10001 -j DNAT--to-destination 192.168.1.21:22 $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $LAN_IFACE -d 192.168.1.21 \ --dport 22 -j ACCEPT # allow firstname.lastname@example.org to ssh directly to work PC $ipt -t nat -A PREROUTING -i $WAN_IFACE -s 220.127.116.11 --sport \ 1024:65535 -p tcp --dport 10002 -j DNAT --to-destination 192.168.1.22:22 $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $LAN_IFACE -d 192.168.1.22 \ --dport 22 -j ACCEPT
Then, your users simply need to specify the port number and the fully qualified domain name or IP address of the firewall to log in:
email@example.com:~$ ssh windbag.foo.net:10001
firstname.lastname@example.org:~$ ssh 18.104.22.168:10002
Handing out user accounts just for remote SSH access on your firewall is a bad idea. You should also configure the excellent access and authentication controls in OpenSSH to further batten the hatches, and consider using public-key authentication instead of system passwords. Your user's source IP addresses are specified in the rules because you do not want to leave LAN hosts open to the entire Internet, and you especially don't want them logging in from public machines in libraries or Internet cafes.
If your WAN IP address is dynamically assigned, then you're going to collect a lot of host keys because host keys are bound to IP addresses. So, every time the WAN address changes, you'll get a new host key. Dynamic WAN IPs cause all sorts of hassles if you want to do anything other than just have an Internet connection-running services and remote administration is a heck of a lot easier on a static WAN IP address.
In this tutorial:
- Building a Linux Firewall
- Iptables and NAT, SNAT, and DNAT
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules