On Sat, 30 Mar 2024, MC_Sequoia wrote:
I'll attempt to demystify and sum up the techno-jargon.
This is common firewall/network security practice. This is an iptables, Linux
Firewall script. The idea is not only accept packets inbound to your network on
a non-default port such as the 3 destination ports in the the example,
99,88,8889. Only tcp/ip packets with one of those dest. ports will be accepted
and then re-routed out of the firewall to a machine on the network that is
setup for SSH access on the default port of 22.
The idea is that only you, the sys-admin, developers, etc will know to setup
ssh access to your internal pc's/servers, etc on those non-default ports that
you've chosen. Which hopefully aren't the same port numbers in the example
script!!! =)
Slackware Docs explains this. Reference -
https://docs.slackware.com/howtos:security:ssh
/usr/sbin/iptables -t filter -A INPUT -p tcp -m multiport --dports 99,88,8889
-j REJECT --reject-with tcp-reset
######Then, pick a number between 1 and 4294967295 Ill use 0x13F ()
######Were going to tell iptables to reject anything without this mark coming
into port 22.
/usr/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m connmark !
--mark 0x13F -j REJECT --reject-with tcp-reset
######Now well tell iptables what ports we will accept for ssh.
/usr/sbin/iptables -t filter -A FORWARD -p tcp -m multiport --dports 99,88,8889
-j ACCEPT
######In the mangle? table we slap our mark on these packets.
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m multiport --dports
99,88,8889 -j CONNMARK --set-mark 0x13F
######Finally in the nat table we tell iptables to send the marked packets back
to port 22
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport --dport 99,88,8889
-j REDIRECT --to-ports 22
Mike,
I understand the purpose and I don't know the value of repeating the script
I presented. Do six hashmarks have benefits over a single one as marking a
comment.
My question remains.
Regards,
Rich
