[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNAT TCP 12345 -> 22


Frédéric Massot a écrit :

I have servers with public IP addresses in a DMZ behind a firewall.

The firewall has two network interface, one connected to the DMZ, the other to the ISP router.

 From local network, I can access the server via SSH on port 22/TCP.

What local network ?

I would like to access the server from the outside on another port like 12345/TCP. I try to translate the SSH port on the firewall with a DNAT rule.

I have these rules :

iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER --dport 12345 -j DNAT --to-destination $SERVER:22

With these rules I can access the server on ports 22/TCP and 12345/TCP.

How I can ensure that access will possible only on port 12345/TCP and not on port 22/TCP ?

There are several available methods, all involving some action in the PREROUTING chains before the DNAT rule is reached, because after it is too late.

1) Drop packets to $SERVER:22 in mangle/PREROUTING or raw/PREROUTING (the latter requires a kernel >= 2.6.6). Not my preferred method, as packet filtering is not the primary purpose of the mangle and raw tables, and they do not support the REJECT target.

iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 22 -j DROP

2) Mark packets to $SERVER:22 in mangle/PREROUTING and drop or reject the marked packets in filter/FORWARD before the ACCEPT rule.

iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 22 -j MARK --set-mark 0x22
iptables -A FORWARD -m mark --mark 0x22 -p tcp \
  -j REJECT --reject-with tcp-reset

3) Conversely, mark packets to $SERVER:12345 in mangle/PREROUTING and accept only packets to $SERVER:22 with the mark in filter/FORWARD.

iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 12345 -j MARK --set-mark 0x12345
  -d $SERVER -p tcp --dport 22 -m mark --mark 0x12345 -j ACCEPT

4) Mark new connexions to $SERVER:12345 in mangle/PREROUTING and accept only packets to $SERVER:22 with the connection mark in filter/FORWARD. Requires kernel >= 2.6.10 or with the connmark patch.

iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -m state --state NEW -p tcp --dport 12345 \
  -j CONNMARK --set-mark 0x12345
  -d $SERVER -p tcp --dport 22 -m connmark --mark 0x12345 -j ACCEPT

5) DNAT connections to $SERVER:22 in nat/PREROUTING to whatever destination you want and drop/reject them in FORWARD or INPUT depending whether the new destination is local or remote. Not my preferred method.

6) Skip connection tracking on packets to $SERVER:22 in raw/PREROUTING with the NOTRACK target. The packets will have the UNTRACKED state, so you can drop or reject packets matching that state in filter/FORWARD. Requires a kernel >= 2.6.6. Not my preferred method either.

  -p tcp --dport 22 -j NOTRACK
iptables -A FORWARD -m state --state UNTRACKED \
  -p tcp -j REJECT --reject-with tcp-reset

Reply to: