Solved

DNAT not work

Posted on 2009-05-13
3
724 Views
Last Modified: 2013-11-16
I want to move the default port of sshd on the external interface to 222.
Here are my rules:

external - eth0
internal - eth1

iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j DNAT --to 192.168.1.100:22

Thanks.
0
Comment
Question by:isaj1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 24375464
The most easy way is to configure the sshd to run also on port 222.

Edit file /etc/ssh/sshd_config and add commands:
ListenAddress <your public IP>:222
ListenAddress <your LAN IP>:22

You only need to allow:
iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT


An alternative is to REDIRECT not DNAT - if the destination is machine itself:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-ports 22

but you will have to accept port 22 not 222 from the outside - when the filter sees the packet it is already redirected to port 22:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

You could block port 22 from outside in PREROUTING chain:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24382821
just a suggestion if you're not comfortable with iptables => take a look at www.shorewall.net
You won't have to remember that hard iptables syntax
0
 

Author Comment

by:isaj1
ID: 24407355
Thanks for you comments mchkorg and blaz,
I figured out later that I had to have port 22 on the outside open for the DNAT to work
0

Featured Post

Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question