Redirect SSH on a single IP

Richard Esplin richard at esplins.org
Mon Apr 20 14:33:56 MDT 2009


Thank you Andrew for your answer to the bonus question. I do have a default 
DROP rule and explicitly open up IFACE_EXT to IFACE_INT elsewhere in my 
script. I probably added the two types of rules at different times.

As for your suggestion on the main goal of redirecting 2022 on the EXT_IP to 
22 on INT_IP, I haven't been able to get it to work.

Here is what I tried:
${IPTABLES} -A FORWARD -i ${IFACE_EXT} -p tcp --dport 22 -j ACCEPT
${IPTABLES} -t nat -A PREROUTING  -i ${IFACE_EXT} -p tcp --dport 22 -j DROP
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j 
REDIRECT --to 22

Complains that DROP on the NAT table is deprecated. Even ignoring the warning, 
I can't connect. PREROUTING appears to be a NAT specific chain, as I couldn't 
use it on the default table.

I also tried replacing the second line with:
${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 22 -j DROP

But still couldn't connect on 2022.

Any other ideas?

Richard

On Monday 20 April 2009 13:48:32 Andrew McNabb <amcnabb at mcnabbs.org> wrote:
> On Mon, Apr 20, 2009 at 01:38:23PM -0600, Richard Esplin wrote:
> > Current relevant rules:
> > # Open up these external ports: SSH=2022, HTTP=80, HTTPS=443, SMTP=25
> > ${IPTABLES} -A INPUT -i ${IFACE_EXT} -d ${IPADDR_EXT} -p tcp -m
> > multiport --destination-port 2020,25,80,443 -m state --state NEW -j
> > ACCEPT # Allow connections coming from inside
> > ${IPTABLES} -A INPUT -m state --state NEW -i ! ${IFACE_EXT} -j ACCEPT
> >
> > Current Attempts:
> > ${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
> > REDIRECT --to 22
> >
> > This works as long as I add port 22 to the above ACCEPT statement, but
> > that would defeat the purpose.
>
> I think the problem is that nat is changing the destination port before
> it ever looks at the forwarding rules.  Could you add a forwarding rule
> that allows port 22 to be forwarded and then add a prerouting rule to
> block port 22?  I think this would work, but there might be a better
> way.
>
> > _Bonus Question_
> > When I first wrote this script a couple of years ago, I put this line in:
> > # Don't forward from the outside to the inside.
> > ${IPTABLES} -A FORWARD -i ${IFACE_EXT} -o ${IFACE_EXT} -j REJECT
> >
> > Looking at that line today, it doesn't make much sense. Does this do
> > something I'm not aware of? Shouldn't I have written -o ${IFACE_INT}?
>
> It's just trying to make it so external traffic can't somehow hop
> through your router.  I would prefer to make a default REJECT rule and
> specifically open up forwarding from IFACE_EXT to IFACE_INT, but it's
> the same idea.




More information about the PLUG mailing list