On 2008-03-20 Frédéric Massot wrote:
I have servers with public IP addresses in a DMZ behind a firewall.
The firewall has two network interface, one connected to the DMZ, the
other to the ISP router.
From local network, I can access the server via SSH on port 22/TCP.
I would like to access the server from the outside on another port
like 12345/TCP. I try to translate the SSH port on the firewall with a
DNAT rule.
I have these rules :
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p
tcp --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j
ACCEPT
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
--dport 12345 -j DNAT --to-destination $SERVER:22
With these rules I can access the server on ports 22/TCP and
12345/TCP.
How I can ensure that access will possible only on port 12345/TCP and
not on port 22/TCP ?
Have your sshd listen on both ports, and allow only 12345/tcp inbound on
your external firewall.