Monday, February 11, 2019

VyOS firewall help

So currently I am trying to port forward ssh traffic from my router on 10.0.0.x port 4000 to my internal web server with ip 192.168.0. 30 on port 22. I ssh using the router ip and port 4000. I think that the problem is that the router believes that the ssh connection that should be forwarded is considered LOCAL therefore it drops it because of the LOCAL rules. How does the router differentiate between what is LOCAL and what is IN? Also is there a better way to ssh into a box underneath the firewall rather than port forwarding certain ports to each internal box?

--------------------------------------------------------------------------------

IPv4 Firewall "OUTSIDE-IN":

Active on (eth1,IN)

rule action proto packets bytes

---- ------ ----- ------- -----

10 accept all 15 1140

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state RELATED,ESTABLISHED

400 accept tcp 0 0

condition - saddr 0.0.0.0/0 daddr 192.168.0.30 state NEW tcp dpt:4000

10000 drop all 8 512

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

--------------------------------------------------------------------------------

IPv4 Firewall "OUTSIDE-LOCAL":

Active on (eth1,LOCAL)

rule action proto packets bytes

---- ------ ----- ------- -----

10 accept all 999 107255

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state RELATED,ESTABLISHED

20 accept icmp 0 0

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state NEW icmptype 8

30 drop tcp 0 0

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state NEW tcp dpt:22 RECENT second

s: 60 hit_count: 15 mask: 255.255.255.255

31 accept tcp 3 192

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state NEW tcp dpt:22

10000 drop all 149 19625

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

----------------------------------------------------------------------------------------------------------

NAT Rules

----------------

rule intf translation

---- ---- -----------

400 eth1 daddr ANY to 192.168.0.30

proto-tcp dport 4000 to 22

Desc: Webserver SSH: 4000 to 22

410 eth1 daddr ANY to 192.168.0.15

proto-tcp dport 4010 to 22

Desc: DNS SSH: 4010 to 22



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)