Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DNAT not work

Posted on 2009-05-13
3
Medium Priority
?
731 Views
Last Modified: 2013-11-16
I want to move the default port of sshd on the external interface to 222.
Here are my rules:

external - eth0
internal - eth1

iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j DNAT --to 192.168.1.100:22

Thanks.
0
Comment
Question by:isaj1
3 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 2000 total points
ID: 24375464
The most easy way is to configure the sshd to run also on port 222.

Edit file /etc/ssh/sshd_config and add commands:
ListenAddress <your public IP>:222
ListenAddress <your LAN IP>:22

You only need to allow:
iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT


An alternative is to REDIRECT not DNAT - if the destination is machine itself:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-ports 22

but you will have to accept port 22 not 222 from the outside - when the filter sees the packet it is already redirected to port 22:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

You could block port 22 from outside in PREROUTING chain:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24382821
just a suggestion if you're not comfortable with iptables => take a look at www.shorewall.net
You won't have to remember that hard iptables syntax
0
 

Author Comment

by:isaj1
ID: 24407355
Thanks for you comments mchkorg and blaz,
I figured out later that I had to have port 22 on the outside open for the DNAT to work
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question