Re: DNAT TCP 12345 -> 22

To: debian-firewall@lists.debian.org
Subject: Re: DNAT TCP 12345 -> 22
From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Date: Thu, 20 Mar 2008 21:34:17 +0100
Message-id: <20080320203417.GA1882@mail.planetcobalt.net>
In-reply-to: <47E2B09E.1070708@juliana-multimedia.com>
References: <47E2B09E.1070708@juliana-multimedia.com>

On 2008-03-20 Frédéric Massot wrote:
> I have servers with public IP addresses in a DMZ behind a firewall.
> 
> The firewall has two network interface, one connected to the DMZ, the
> other to the ISP router.
> 
> From local network, I can access the server via SSH on port 22/TCP.
> 
> I would like to access the server from the outside on another port
> like 12345/TCP. I try to translate the SSH port on the firewall with a
> DNAT rule.
> 
> I have these rules :
> 
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p
> tcp --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j
> ACCEPT
> 
> iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
> --dport 12345 -j DNAT --to-destination $SERVER:22
> 
> With these rules I can access the server on ports 22/TCP and
> 12345/TCP.
> 
> How I can ensure that access will possible only on port 12345/TCP and
> not on port 22/TCP ?

Have your sshd listen on both ports, and allow only 12345/tcp inbound on
your external firewall.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Reply to:

Follow-Ups:
- Re: DNAT TCP 12345 -> 22
  - From: Frédéric Massot <frederic@juliana-multimedia.com>

References:
- DNAT TCP 12345 -> 22
  - From: Frédéric Massot <frederic@juliana-multimedia.com>

Prev by Date: DNAT TCP 12345 -> 22
Next by Date: Re: DNAT TCP 12345 -> 22
Previous by thread: DNAT TCP 12345 -> 22
Next by thread: Re: DNAT TCP 12345 -> 22
Index(es):
- Date
- Thread