Re: DNAT TCP 12345 -> 22

To: Frédéric Massot <frederic@juliana-multimedia.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: DNAT TCP 12345 -> 22
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Fri, 21 Mar 2008 13:53:33 +0100
Message-id: <47E3AFCD.9040809@plouf.fr.eu.org>
In-reply-to: <47E2B09E.1070708@juliana-multimedia.com>
References: <47E2B09E.1070708@juliana-multimedia.com>

Hello,

Frédéric Massot a écrit :

I have servers with public IP addresses in a DMZ behind a firewall.
The firewall has two network interface, one connected to the DMZ, theother to the ISP router.
 From local network, I can access the server via SSH on port 22/TCP.


What local network ?

I would like to access the server from the outside on another port like12345/TCP. I try to translate the SSH port on the firewall with a DNATrule.
I have these rules :
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp--sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER--dport 12345 -j DNAT --to-destination $SERVER:22
With these rules I can access the server on ports 22/TCP and 12345/TCP.
How I can ensure that access will possible only on port 12345/TCP andnot on port 22/TCP ?

There are several available methods, all involving some action in thePREROUTING chains before the DNAT rule is reached, because after it istoo late.

1) Drop packets to $SERVER:22 in mangle/PREROUTING or raw/PREROUTING(the latter requires a kernel >= 2.6.6). Not my preferred method, aspacket filtering is not the primary purpose of the mangle and rawtables, and they do not support the REJECT target.


iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 22 -j DROP

2) Mark packets to $SERVER:22 in mangle/PREROUTING and drop or rejectthe marked packets in filter/FORWARD before the ACCEPT rule.


iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 22 -j MARK --set-mark 0x22
iptables -A FORWARD -m mark --mark 0x22 -p tcp \
  -j REJECT --reject-with tcp-reset

3) Conversely, mark packets to $SERVER:12345 in mangle/PREROUTING andaccept only packets to $SERVER:22 with the mark in filter/FORWARD.


iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 12345 -j MARK --set-mark 0x12345
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
  -d $SERVER -p tcp --dport 22 -m mark --mark 0x12345 -j ACCEPT

4) Mark new connexions to $SERVER:12345 in mangle/PREROUTING and acceptonly packets to $SERVER:22 with the connection mark in filter/FORWARD.Requires kernel >= 2.6.10 or with the connmark patch.


iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -m state --state NEW -p tcp --dport 12345 \
  -j CONNMARK --set-mark 0x12345
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
  -d $SERVER -p tcp --dport 22 -m connmark --mark 0x12345 -j ACCEPT

5) DNAT connections to $SERVER:22 in nat/PREROUTING to whateverdestination you want and drop/reject them in FORWARD or INPUT dependingwhether the new destination is local or remote. Not my preferred method.

6) Skip connection tracking on packets to $SERVER:22 in raw/PREROUTINGwith the NOTRACK target. The packets will have the UNTRACKED state, soyou can drop or reject packets matching that state in filter/FORWARD.Requires a kernel >= 2.6.6. Not my preferred method either.


iptables -t raw -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
  -p tcp --dport 22 -j NOTRACK
iptables -A FORWARD -m state --state UNTRACKED \
  -p tcp -j REJECT --reject-with tcp-reset

Reply to:

Follow-Ups:
- Re: DNAT TCP 12345 -> 22
  - From: Frédéric Massot <frederic@juliana-multimedia.com>

References:
- DNAT TCP 12345 -> 22
  - From: Frédéric Massot <frederic@juliana-multimedia.com>

Prev by Date: Re: DNAT TCP 12345 -> 22
Next by Date: Tru
Previous by thread: Re: DNAT TCP 12345 -> 22
Next by thread: Re: DNAT TCP 12345 -> 22
Index(es):
- Date
- Thread