Solved

DNAT not work

Posted on 2009-05-13
3
719 Views
Last Modified: 2013-11-16
I want to move the default port of sshd on the external interface to 222.
Here are my rules:

external - eth0
internal - eth1

iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j DNAT --to 192.168.1.100:22

Thanks.
0
Comment
Question by:isaj1
3 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 24375464
The most easy way is to configure the sshd to run also on port 222.

Edit file /etc/ssh/sshd_config and add commands:
ListenAddress <your public IP>:222
ListenAddress <your LAN IP>:22

You only need to allow:
iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT


An alternative is to REDIRECT not DNAT - if the destination is machine itself:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-ports 22

but you will have to accept port 22 not 222 from the outside - when the filter sees the packet it is already redirected to port 22:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

You could block port 22 from outside in PREROUTING chain:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24382821
just a suggestion if you're not comfortable with iptables => take a look at www.shorewall.net
You won't have to remember that hard iptables syntax
0
 

Author Comment

by:isaj1
ID: 24407355
Thanks for you comments mchkorg and blaz,
I figured out later that I had to have port 22 on the outside open for the DNAT to work
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question