DNAT not work

I want to move the default port of sshd on the external interface to 222.
Here are my rules:

external - eth0
internal - eth1

iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j DNAT --to 192.168.1.100:22

Thanks.
isaj1Asked:
Who is Participating?
 
BlazConnect With a Mentor Commented:
The most easy way is to configure the sshd to run also on port 222.

Edit file /etc/ssh/sshd_config and add commands:
ListenAddress <your public IP>:222
ListenAddress <your LAN IP>:22

You only need to allow:
iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT


An alternative is to REDIRECT not DNAT - if the destination is machine itself:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-ports 22

but you will have to accept port 22 not 222 from the outside - when the filter sees the packet it is already redirected to port 22:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

You could block port 22 from outside in PREROUTING chain:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
0
 
mchkorgCommented:
just a suggestion if you're not comfortable with iptables => take a look at www.shorewall.net
You won't have to remember that hard iptables syntax
0
 
isaj1Author Commented:
Thanks for you comments mchkorg and blaz,
I figured out later that I had to have port 22 on the outside open for the DNAT to work
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.