Re: DNAT TCP 12345 -> 22
Hello,
Frédéric Massot a écrit :
I have servers with public IP addresses in a DMZ behind a firewall.
The firewall has two network interface, one connected to the DMZ, the
other to the ISP router.
From local network, I can access the server via SSH on port 22/TCP.
What local network ?
I would like to access the server from the outside on another port like
12345/TCP. I try to translate the SSH port on the firewall with a DNAT
rule.
I have these rules :
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp
--sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
--dport 12345 -j DNAT --to-destination $SERVER:22
With these rules I can access the server on ports 22/TCP and 12345/TCP.
How I can ensure that access will possible only on port 12345/TCP and
not on port 22/TCP ?
There are several available methods, all involving some action in the
PREROUTING chains before the DNAT rule is reached, because after it is
too late.
1) Drop packets to $SERVER:22 in mangle/PREROUTING or raw/PREROUTING
(the latter requires a kernel >= 2.6.6). Not my preferred method, as
packet filtering is not the primary purpose of the mangle and raw
tables, and they do not support the REJECT target.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --dport 22 -j DROP
2) Mark packets to $SERVER:22 in mangle/PREROUTING and drop or reject
the marked packets in filter/FORWARD before the ACCEPT rule.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --dport 22 -j MARK --set-mark 0x22
iptables -A FORWARD -m mark --mark 0x22 -p tcp \
-j REJECT --reject-with tcp-reset
3) Conversely, mark packets to $SERVER:12345 in mangle/PREROUTING and
accept only packets to $SERVER:22 with the mark in filter/FORWARD.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --dport 12345 -j MARK --set-mark 0x12345
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d $SERVER -p tcp --dport 22 -m mark --mark 0x12345 -j ACCEPT
4) Mark new connexions to $SERVER:12345 in mangle/PREROUTING and accept
only packets to $SERVER:22 with the connection mark in filter/FORWARD.
Requires kernel >= 2.6.10 or with the connmark patch.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-m state --state NEW -p tcp --dport 12345 \
-j CONNMARK --set-mark 0x12345
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d $SERVER -p tcp --dport 22 -m connmark --mark 0x12345 -j ACCEPT
5) DNAT connections to $SERVER:22 in nat/PREROUTING to whatever
destination you want and drop/reject them in FORWARD or INPUT depending
whether the new destination is local or remote. Not my preferred method.
6) Skip connection tracking on packets to $SERVER:22 in raw/PREROUTING
with the NOTRACK target. The packets will have the UNTRACKED state, so
you can drop or reject packets matching that state in filter/FORWARD.
Requires a kernel >= 2.6.6. Not my preferred method either.
iptables -t raw -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --dport 22 -j NOTRACK
iptables -A FORWARD -m state --state UNTRACKED \
-p tcp -j REJECT --reject-with tcp-reset
Reply to: