Iptables REDIRECT question

I'm trying to redirect packets to a port (example: 33333) in my firewall to a local ssh server running in port 22, but I don't want port 22 opened to the internet but only to local network.
I have iptables version 1.4.1.1-2 running in a Fedora 10 laptop linking to internet by device ppp0, shared to a local network.

This is my firewall script:
#-------------------
INTERNET="ppp0"
ifLOCAL="eth0"
LOCALNET="192.168.1.0/24"
IPT="/sbin/iptables"
UNPORTS="1024:65535"

$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE ip_nat_irc

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$ECHO "1" > /proc/sys/net/ipv4/ip_forward

$IPT -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -d $LOCALNET -j ACCEPT
$IPT -A INPUT -s $LOCALNET -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $ifLOCAL -o $INTERNET -s $LOCALNET -p all -m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -i $INTERNET -p tcp --dport 33333 -j REDIRECT --to-ports 22
#------------------------------------------------------------------------------------------

If I only redirect to port 22 it doesn't work.
But if I open port 22 in the INPUT chain adding this line:

$IPT -t nat -A INPUT -i $INTERNET -p tcp --dport 22 -m state --state --NEW -j ACCEPT

It works.
The problem is that now I can access ssh server from the internet through port 33333 and 22 (which I do not want).
So, the only way I could solve the problem was to redirect also port 22 to another port which doesn't have any service associated.

$IPT -t nat -A PREROUTING -i $INTERNET -p tcp --dport 22 -j REDIRECT --to-ports 65500

This seems a hugly work around...
Any ideas, or am I forgetting something?

DrCalmoAsked:
Who is Participating?
 
BlazConnect With a Mentor Commented:
OK. The problem is in the order in which iptables processes the packet:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Figure_14-1_Iptables_Packet_Flow_Diagram
The INPUT chain does not know if the (new) port 22 is a result of redirection or original request. The solution is to get information about original port before it is translated - so this must be done in nat PREROUTING or mangle PREROUTING chain.

You could add the following rule:
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp --dport 22 -j DROP
or
$IPT -t mangle -A PREROUTING -i $INTERNET -p tcp --dport 22 -j DROP

An interesting alternative would also be to mark the packet depending on original source port and filter it in INPUT chain:
$IPT -t mangle -A PREROUTING -i $INTERNET -p tcp --dport 22 -j MANGLE --set-mark 22
$IPT -t mangle -A PREROUTING -i $INTERNET -p tcp --dport 3333 -j MANGLE --set-mark 3333
$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -m mark --mark 22 -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -m mark --mark 3333 -j DROP
0
 
BlazCommented:
For what you are trying to do it would be more appropriate to configure ssh server to listen to the ports you request.

Edit file /etc/ssh/sshd_config and add commands:
ListenAddress <your public IP>:3333
ListenAddress <your LAN IP>:22

You only need to allow
$IPT -t nat -A INPUT -i $INTERNET -p tcp --dport 3333 -m state --state --NEW -j ACCEPT

http://man-wiki.net/index.php/5:sshd_config
0
 
DrCalmoAuthor Commented:
I know that. That's not the point.
I'm not talking only about ssh server, this is only an example.
The question is about iptables and redirection from one port to another one in the local machine.
Is there any other way of doing this in iptables?
0
 
BlazCommented:
Sorry for a typo - the last line should be:
$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -m mark --mark 3333 -j ACCEPT
0
 
DrCalmoAuthor Commented:
GREAT!
This was what I meant. There was something "hugly" in redirecting to an unused port. It didn't make sense.
Droping is the choice!
However, the solutions with the mangle table are very interesting, and gives me some potential solutions for other problems.
I never explored mangle table as I could do... Never late to start it ;-)
Thanks a lot!


0
All Courses

From novice to tech pro — start learning today.