Redirect SSH on a single IP

Richard Esplin richard at
Mon Apr 20 13:38:23 MDT 2009

Goal: access my firewall externally using a non-standard ssh port, but keep 
the standard port internally. Additionally, this is a good chance to improve 
my understanding of iptables.

Network layout:
IFACE_EXT = Internet
IFACE_INT = Internal network

Current relevant rules:
# Open up these external ports: SSH=2022, HTTP=80, HTTPS=443, SMTP=25
${IPTABLES} -A INPUT -i ${IFACE_EXT} -d ${IPADDR_EXT} -p tcp -m 
multiport --destination-port 2020,25,80,443 -m state --state NEW -j ACCEPT
# Allow connections coming from inside
${IPTABLES} -A INPUT -m state --state NEW -i ! ${IFACE_EXT} -j ACCEPT

Current Attempts:
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j 
REDIRECT --to 22

This works as long as I add port 22 to the above ACCEPT statement, but that 
would defeat the purpose.

${IPTABLES} -t nat -I PREROUTING -i {IFACE_EXT} -p tcp --dport 2022 -j 

This looks to me like it should work, but the port still reports as being 

On both of these rules, I have also tried -I to account for previous rules 
handling the packets, and -m tcp because Google suggested it.

_Bonus Question_
When I first wrote this script a couple of years ago, I put this line in:
# Don't forward from the outside to the inside.

Looking at that line today, it doesn't make much sense. Does this do something 
I'm not aware of? Shouldn't I have written -o ${IFACE_INT}?

Thanks in advance,

Richard Esplin

More information about the PLUG mailing list