Redirect SSH on a single IP

Nicholas Leippe nick at
Mon Apr 20 15:20:00 MDT 2009

On Mon Apr 20 2009 14:33:56 Richard Esplin wrote:
> As for your suggestion on the main goal of redirecting 2022 on the EXT_IP
> to 22 on INT_IP, I haven't been able to get it to work.
> Here is what I tried:
> ${IPTABLES} -A FORWARD -i ${IFACE_EXT} -p tcp --dport 22 -j ACCEPT
> ${IPTABLES} -t nat -A PREROUTING  -i ${IFACE_EXT} -p tcp --dport 22 -j DROP
> ${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
> REDIRECT --to 22
> Complains that DROP on the NAT table is deprecated. Even ignoring the
> warning, I can't connect. PREROUTING appears to be a NAT specific chain, as
> I couldn't use it on the default table.
> I also tried replacing the second line with:
> ${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 22 -j DROP

This will definitely not work. If you find a chart of the iptables data flow, 
you'll see that the nat table is applied outside of the filtering. DNAT is 
done in PREROUTING before the filtering sees it, and SNAT is done in 
POSTROUTING after filtering filtered it. Thus, nat is completely transparent 
to the filtering--the filter rules sees the packets with their *actual* 
endpoints--the source as sent by the sender and the destination as seen by the 

So, if you DNAT inbound ip:2022 to :22, then DROP all :22 traffic in your 
filter, you've just thrown away the ssh packets you just DNAT'd.

If you really want to redirect it, you just have to remember what the packets 
are going to look like when they reach the filter table. You could use a 
mangle table rule which uses CONNMARK to add a flag to connections that come 
in to port 2022, by which you could use later in the filter to distinguish 
between packets comining directly to 22 or to 22 via your 2022->22 DNAT.

An alternative way to do this is to:

-filter all packets inbound to your external ip on port 22
-add an ip address to the dummy0 interface (and make ssh listen on this also)
-DNAT packets coming in on external ip to 2022 to the dummy0 ip address:22

However, I think Steve's suggestion of just listening on both ports and 
blocking external port 22 is even simpler, and best for most cases. It has the 
added benefit of fewer moving parts--if you mess up your configuration the 
worst that will happen is your port 22 is open and you can ssh in and fix it. 
Whereas in the above, a misconfiguration can leave you w/o any remote access.


More information about the PLUG mailing list