Solved

DNAT not work

Posted on 2009-05-13
3
718 Views
Last Modified: 2013-11-16
I want to move the default port of sshd on the external interface to 222.
Here are my rules:

external - eth0
internal - eth1

iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j DNAT --to 192.168.1.100:22

Thanks.
0
Comment
Question by:isaj1
3 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 24375464
The most easy way is to configure the sshd to run also on port 222.

Edit file /etc/ssh/sshd_config and add commands:
ListenAddress <your public IP>:222
ListenAddress <your LAN IP>:22

You only need to allow:
iptables -A INPUT -i eth0 -p tcp --dport 222 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT


An alternative is to REDIRECT not DNAT - if the destination is machine itself:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-ports 22

but you will have to accept port 22 not 222 from the outside - when the filter sees the packet it is already redirected to port 22:
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

You could block port 22 from outside in PREROUTING chain:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24382821
just a suggestion if you're not comfortable with iptables => take a look at www.shorewall.net
You won't have to remember that hard iptables syntax
0
 

Author Comment

by:isaj1
ID: 24407355
Thanks for you comments mchkorg and blaz,
I figured out later that I had to have port 22 on the outside open for the DNAT to work
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
assessing firewall rules 3 84
iPhone6s - Installing Malwarebytes and/or Norton Security Deluxe 3 128
IP Phones with SonicWall 6 77
DDOS against DYN 9 128
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question