Redirect SSH on a single IP

Richard Esplin richard at esplins.org
Mon Apr 20 15:54:13 MDT 2009


Here is what I got to work:

# Open up these external ports: # SSH=2022 (external ssh), HTTP=80, HTTPS=443, 
SMTP=25
${IPTABLES} -A INPUT -p tcp -i ${IFACE_EXT} -d ${IPADDR_EXT} -m 
multiport --dport 2022,25,80,443 -m state --state NEW -j ACCEPT
# Disallow SSH access on default port through external IP, redirect 2022 to 
default SSH
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${IFACE_EXT} --dport 2022 -j 
DNAT --to ${IPADDR_INT}:22
${IPTABLES} -A INPUT -p tcp -i ${IFACE_EXT} -d ${IPADDR_INT} --dport 22 -j 
ACCEPT

I am comfortable that this is at least as secure as running SSH on an external 
port, but less prone to automated attack. However, I think that a dedicated 
attacker could spoof packets with the internal IP address to the external 
interface and still get access to SSH on port 22. I would have to use 
CONMARK, as Nicholas Leippe suggested, to get around that (or use the dummy0 
interface).

I appreciate all of the suggestions. It was very educational. Now I'll go back 
to the really simple solution Steve Meyers originally suggested.

I also appreciate the instruction provided by Mr. McNabb and Mr. Burgener.

Thanks all,

Richard

On Monday 20 April 2009 14:46:30 Kenneth Burgener <kenneth at mail1.ttak.org> 
wrote:
> On 4/20/2009 1:38 PM, Richard Esplin wrote:
> > Current Attempts:
> > ${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
> > REDIRECT --to 22
> >
> > This works as long as I add port 22 to the above ACCEPT statement, but
> > that would defeat the purpose.
> >
> > ${IPTABLES} -t nat -I PREROUTING -i {IFACE_EXT} -p tcp --dport 2022 -j
> > DNAT --to ${IPADDRE_INT}:22
> >
> > This looks to me like it should work, but the port still reports as being
> > closed.
>
> I think you are only missing the ACCEPT on the FORWARD table:
>
> /sbin/iptables -t nat -A *PREROUTING* -p tcp -i eth0 --dport 9999 -j *DNAT*
> --to 10.10.10.3:22 /sbin/iptables -A *FORWARD* -p tcp -i eth0 -d 10.10.10.3
> --dport 22 -j *ACCEPT*
>
> This is what I have and it works.
>
> kenneth




More information about the PLUG mailing list