Re: FW: DNAT SSH
- From: Nigel Wade <nmw@xxxxxxxxxxxx>
- Date: Thu, 31 Jan 2008 10:26:05 +0000
Geofrey Rainey wrote:
Hi, Perhaps there is someone in the ether au fait with IPtables...?
Cheers,
Geoff.
________________________________
From: Geofrey Rainey Sent: Thursday, 31 January 2008 1:13 p.m.
To: 'netfilter@xxxxxxxxxxxxxxx'
Subject: DNAT SSH
Hello,
I would like to obscure the SSHD listening port from 22 to another, but
allow
22 access from the local subnet.
Described succinctly, this is what I think I need:
NAT PREROUTING chain:
1. -s anywhere --dport 5000 -j DNAT --to-destination :22
FILTER INPUT chain:
2. -s subnet --dport 22 -j ACCEPT
3. all others -j REJECT
The problem is the packet arrives on 5000 and is natted to 22 correctly
(1. - all good so far), but because its source IP is not the local subnet (defined in 2.), it is
rejected in the filter
INPUT chain (3).
So I'm think something like the following:
a. can the packet bypass the INPUT filter chain?
b. how can I identify my natted packet within the INPUT filter chain and
thus ACCEPT it?
I think the simplest solution is to get sshd to listen on both ports. No need for complicated NATting or other fancy stuff. Once sshd is listening to both ports you can restrict port 22 to the subnet using iptables, and leave port 5000 open.
To get sshd to listen to multiple ports use two Port options in /etc/sshd_config, i.e. two lines, one with "Port 22" and another with "Port 5000".
This is what I do, and it works.
--
Nigel Wade
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- References:
- FW: DNAT SSH
- From: Geofrey Rainey
- FW: DNAT SSH
- Prev by Date: RE: FW: DNAT SSH
- Next by Date: Re: Block PC using Mac address in squid
- Previous by thread: RE: FW: DNAT SSH
- Index(es):
Relevant Pages
|
