[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNAT TCP 12345 -> 22

Hello, Frédéric.

To block (reject) a TCP port $SERVICE (22 in this case) on the external
interface, try a rule like:

# iptables -I INPUT 1 -j REJECT -p tcp -s 0/0 -i $EXTERNAL_INTERFACE
--dport $SERVICE

With your earlier rules in place, tcp port 22 on the internal interface
and tcp port 12345 on the external interface should both still work.

Best regards,
Stephen Benoit
linux@magnumline.com

> Hi,
>
> I have servers with public IP addresses in a DMZ behind a firewall.
>
> The firewall has two network interface, one connected to the DMZ, the
> other to the ISP router.
>
>  From local network, I can access the server via SSH on port 22/TCP.
>
> I would like to access the server from the outside on another port like
> 12345/TCP. I try to translate the SSH port on the firewall with a DNAT
> rule.
>
> I have these rules :
>
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp
> --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT
>
> iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
> --dport 12345 -j DNAT --to-destination $SERVER:22
>
> With these rules I can access the server on ports 22/TCP and 12345/TCP.
>
> How I can ensure that access will possible only on port 12345/TCP and
> not on port 22/TCP ?
>
>
> Regards.
> --
> ==============================================
> |              FRÉDÉRIC MASSOT               |
> |     http://www.juliana-multimedia.com      |
> |   mailto:frederic@juliana-multimedia.com   |
> ===========================Debian=GNU/Linux===
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>
Reply to: