[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNAT TCP 12345 -> 22

Ansgar -59cobalt- Wiechers wrote:
On 2008-03-20 Frédéric Massot wrote:
I have servers with public IP addresses in a DMZ behind a firewall.

The firewall has two network interface, one connected to the DMZ, the
other to the ISP router.

From local network, I can access the server via SSH on port 22/TCP.

I would like to access the server from the outside on another port
like 12345/TCP. I try to translate the SSH port on the firewall with a
DNAT rule.

I have these rules :

tcp --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j

iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
--dport 12345 -j DNAT --to-destination $SERVER:22

With these rules I can access the server on ports 22/TCP and

How I can ensure that access will possible only on port 12345/TCP and
not on port 22/TCP ?

Have your sshd listen on both ports, and allow only 12345/tcp inbound on
your external firewall.


Yes it is a solution that works, but I would like to find a solution with the firewall.

|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |

Reply to: