Hi Steve, > A question that I've recently been mulling is how I can retain this > invaluable capability to accept remote SSH connections on > port 443 - but > also run a standard HTTPS website without needing another public IP > address. I fiddled with netcat and discovered that the two protocols > (SSH and HTTPS) behave quite differently in spite of both being > > +-------+ +-----+---443-->[apache] > O---443-->|NAT-BOX|--1443-->| ? | > +-------+ +-----+---22--->[sshd] >
Maybe the 'Layer-7 Filter' [1] extension for netfilter/iptables can do the recognition of the service (ssh/https) for you. Only from theory then just two destination NAT (DNAT) rules in the prerouting NAT chain from iptables might do all the work for you. [1] http://l7-filter.sourceforge.net Also there are two examples of patterns that match against the ssh and ssl service can be found here: http://l7-filter.sourceforge.net/protocols Regards, Olaf Niermann -- gentoo-user@gentoo.org mailing list
