[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNAT TCP 12345 -> 22

Chris Henry wrote:
On Fri, Mar 21, 2008 at 2:44 AM, Frédéric Massot
<frederic@juliana-multimedia.com> wrote:

 I have servers with public IP addresses in a DMZ behind a firewall.

 The firewall has two network interface, one connected to the DMZ, the
 other to the ISP router.

  From local network, I can access the server via SSH on port 22/TCP.

 I would like to access the server from the outside on another port like
 12345/TCP. I try to translate the SSH port on the firewall with a DNAT rule.

 I have these rules :

 --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT

 iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
 --dport 12345 -j DNAT --to-destination $SERVER:22

 With these rules I can access the server on ports 22/TCP and 12345/TCP.

 How I can ensure that access will possible only on port 12345/TCP and
 not on port 22/TCP ?
Do you set default policy for INPUT (and possibly FORWARD if you don't
want any connection to be forwarded to internal LAN) to be
DROP/REJECT? With default policy, as long as you don't specify any
rule, it will be dropped/rejected.

iptables -P INPUT DROP
iptables -P FORWARD DROP


All chains have DROP policy on table filter, I open only the necessary ports.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

Is it that I should put policy DROP on the tables nat and mangle ?

|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |

Reply to: