Redirect SSH on a single IP

Andrew McNabb amcnabb at mcnabbs.org
Mon Apr 20 13:48:32 MDT 2009


On Mon, Apr 20, 2009 at 01:38:23PM -0600, Richard Esplin wrote:
> 
> Current relevant rules:
> # Open up these external ports: SSH=2022, HTTP=80, HTTPS=443, SMTP=25
> ${IPTABLES} -A INPUT -i ${IFACE_EXT} -d ${IPADDR_EXT} -p tcp -m 
> multiport --destination-port 2020,25,80,443 -m state --state NEW -j ACCEPT
> # Allow connections coming from inside
> ${IPTABLES} -A INPUT -m state --state NEW -i ! ${IFACE_EXT} -j ACCEPT
> 
> Current Attempts:
> ${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j 
> REDIRECT --to 22
> 
> This works as long as I add port 22 to the above ACCEPT statement, but that 
> would defeat the purpose.

I think the problem is that nat is changing the destination port before
it ever looks at the forwarding rules.  Could you add a forwarding rule
that allows port 22 to be forwarded and then add a prerouting rule to
block port 22?  I think this would work, but there might be a better
way.


> _Bonus Question_
> When I first wrote this script a couple of years ago, I put this line in:
> # Don't forward from the outside to the inside.
> ${IPTABLES} -A FORWARD -i ${IFACE_EXT} -o ${IFACE_EXT} -j REJECT
> 
> Looking at that line today, it doesn't make much sense. Does this do something 
> I'm not aware of? Shouldn't I have written -o ${IFACE_INT}?

It's just trying to make it so external traffic can't somehow hop
through your router.  I would prefer to make a default REJECT rule and
specifically open up forwarding from IFACE_EXT to IFACE_INT, but it's
the same idea.

-- 
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868



More information about the PLUG mailing list