[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNAT TCP 12345 -> 22

On Fri, Mar 21, 2008 at 7:28 PM, Frédéric Massot
<frederic@juliana-multimedia.com> wrote:
>  The server that I want access through SSH is different from the
>  firewall, the server is in the DMZ and has one network interface (chains
>  INPUT or OUTPUT), the firewall with two network interfaces (chain
>  FORWARD). The INPUT chain on the firewall is not involved in the decision.
Hi, I didn't realize you want to access another server within the DMZ.
Okay, so now all traffic into DMZ servers must go through the firewall
right (meaning no direct access to the publicly accessible servers)?
I'm assuming that you are doing same-address NAT for the public IP. If
so, then you can do a port address translation:

iptables -t nat -A PREROUTING -p tcp -d <ext-public-ip> --dport 12345
-j DNAT --to-destination <ext-public-ip>:22

If your default routing is set up correctly, any attempt to access
port 22 directly from outside the firewall will be dropped/rejected.
While I attempt to have the command as correct as possible, I did not
test the above command so keep a backup of the original firewall


Reply to: