Hello, Frédéric. To block (reject) a TCP port $SERVICE (22 in this case) on the external interface, try a rule like:
# iptables -I INPUT 1 -j REJECT -p tcp -s 0/0 -i $EXTERNAL_INTERFACE --dport $SERVICE With your earlier rules in place, tcp port 22 on the internal interface and tcp port 12345 on the external interface should both still work. Best regards, Stephen Benoit [EMAIL PROTECTED] > Hi, > > I have servers with public IP addresses in a DMZ behind a firewall. > > The firewall has two network interface, one connected to the DMZ, the > other to the ISP router. > > From local network, I can access the server via SSH on port 22/TCP. > > I would like to access the server from the outside on another port like > 12345/TCP. I try to translate the SSH port on the firewall with a DNAT > rule. > > I have these rules : > > iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp > --sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT > > iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER > --dport 12345 -j DNAT --to-destination $SERVER:22 > > With these rules I can access the server on ports 22/TCP and 12345/TCP. > > How I can ensure that access will possible only on port 12345/TCP and > not on port 22/TCP ? > > > Regards. > -- > ============================================== > | FRÉDÉRIC MASSOT | > | http://www.juliana-multimedia.com | > | mailto:[EMAIL PROTECTED] | > ===========================Debian=GNU/Linux=== > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
