[PLUG] Linux firewall, ssh, and NAT question

[Matt Alexander]

Steven A. Adams said:
> On Fri, 2003-07-11 at 14:32, Terry Griffin wrote:
>> On Fri, Jul 11, 2003 at 01:33:37PM -0700, Matt Alexander wrote:
>> > >>If I have a Linux firewall (iptables) doing NAT, does that mean I
>> can't
>> > >>ssh directly to it from the outside?  Do I have to port-forward ssh
>> to
>> > >>another machine and then ssh into the firewall using the internal
>> > >>interface?
>> > >>
>> > >
>> > > You may need rules to allow ssh to your external interface and it's
>> > > important to realize that ssh itself does it's own blocking apart
>> > > from what iptables does at the packet level.  Ssh needs to be
>> > > configured to allow connections from the outside.
>> >
>> > Hmm...  Well, I'm using Arno's IPTables Firewall Script:
>> > http://freshmeat.net/projects/iptables-firewall/?topic_id=151
>> >
>> > I modified the config file to allow connections to port 22/tcp|udp,
>> but I
>> > still can't SSH in.  So I thought that maybe having NAT enabled would
>> make
>> > connections directly to the box impossible from the outside...  any
>> NAT
>> > experts out there?
>> >
>>
>> No, NAT shouldn't interfere with SSH'ing to the box that's doing the
>> NATing, but there could be some other iptables setting that are
>> interfering with SSH. You should be able to track this down by adding
>> some iptables logging rules just prior to the equivalent deny rules.
>>
>> Terry
>
> You can also look at the /etc/ssh/sshd.conf ListenAddress entry. If it's
> not commented out it should be 0.0.0.0 (all networks). If your going to
> do this on a firewall I would recommend that you not allow interactive
> authentication but instead stick to key based ssh2.

I figured it out...  the Arno's IPTables script was blocking access to the
external interface from private IP ranges.  This was a firewall behind
another firewall and I had the external using 192.168.x.x and the internal
using 172.16.x.x.
Thanks to everyone that offered their help.
~M