On Fri, Mar 21, 2008 at 2:44 AM, Frédéric Massot
<frederic@juliana-multimedia.com> wrote:
Hi,
I have servers with public IP addresses in a DMZ behind a firewall.
The firewall has two network interface, one connected to the DMZ, the
other to the ISP router.
From local network, I can access the server via SSH on port 22/TCP.
I would like to access the server from the outside on another port like
12345/TCP. I try to translate the SSH port on the firewall with a DNAT rule.
I have these rules :
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp
--sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
--dport 12345 -j DNAT --to-destination $SERVER:22
With these rules I can access the server on ports 22/TCP and 12345/TCP.
How I can ensure that access will possible only on port 12345/TCP and
not on port 22/TCP ?
Do you set default policy for INPUT (and possibly FORWARD if you don't
want any connection to be forwarded to internal LAN) to be
DROP/REJECT? With default policy, as long as you don't specify any
rule, it will be dropped/rejected.
iptables -P INPUT DROP
iptables -P FORWARD DROP