Redirect SSH on a single IP
Richard Esplin
richard at esplins.org
Mon Apr 20 13:38:23 MDT 2009
Goal: access my firewall externally using a non-standard ssh port, but keep
the standard port internally. Additionally, this is a good chance to improve
my understanding of iptables.
Network layout:
IFACE_EXT = Internet
IFACE_INT = Internal network
IFACE_WIFI = Internal WIFI
Current relevant rules:
# Open up these external ports: SSH=2022, HTTP=80, HTTPS=443, SMTP=25
${IPTABLES} -A INPUT -i ${IFACE_EXT} -d ${IPADDR_EXT} -p tcp -m
multiport --destination-port 2020,25,80,443 -m state --state NEW -j ACCEPT
# Allow connections coming from inside
${IPTABLES} -A INPUT -m state --state NEW -i ! ${IFACE_EXT} -j ACCEPT
Current Attempts:
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
REDIRECT --to 22
This works as long as I add port 22 to the above ACCEPT statement, but that
would defeat the purpose.
${IPTABLES} -t nat -I PREROUTING -i {IFACE_EXT} -p tcp --dport 2022 -j
DNAT --to ${IPADDRE_INT}:22
This looks to me like it should work, but the port still reports as being
closed.
On both of these rules, I have also tried -I to account for previous rules
handling the packets, and -m tcp because Google suggested it.
_Bonus Question_
When I first wrote this script a couple of years ago, I put this line in:
# Don't forward from the outside to the inside.
${IPTABLES} -A FORWARD -i ${IFACE_EXT} -o ${IFACE_EXT} -j REJECT
Looking at that line today, it doesn't make much sense. Does this do something
I'm not aware of? Shouldn't I have written -o ${IFACE_INT}?
Thanks in advance,
Richard Esplin
More information about the PLUG
mailing list