Goal: access my firewall externally using a non-standard ssh port, but keep
the standard port internally. Additionally, this is a good chance to improve
my understanding of iptables.
Network layout:
IFACE_EXT = Internet
IFACE_INT = Internal network
IFACE_WIFI = Internal WIFI
Current relevant rules:
# Open up these external ports: SSH=2022, HTTP=80, HTTPS=443, SMTP=25
${IPTABLES} -A INPUT -i ${IFACE_EXT} -d ${IPADDR_EXT} -p tcp -m
multiport --destination-port 2020,25,80,443 -m state --state NEW -j ACCEPT
# Allow connections coming from inside
${IPTABLES} -A INPUT -m state --state NEW -i ! ${IFACE_EXT} -j ACCEPT
Current Attempts:
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
REDIRECT --to 22
This works as long as I add port 22 to the above ACCEPT statement, but that
would defeat the purpose.
${IPTABLES} -t nat -I PREROUTING -i {IFACE_EXT} -p tcp --dport 2022 -j
DNAT --to ${IPADDRE_INT}:22
This looks to me like it should work, but the port still reports as being
closed.
On both of these rules, I have also tried -I to account for previous rules
handling the packets, and -m tcp because Google suggested it.
_Bonus Question_
When I first wrote this script a couple of years ago, I put this line in:
# Don't forward from the outside to the inside.
${IPTABLES} -A FORWARD -i ${IFACE_EXT} -o ${IFACE_EXT} -j REJECT
Looking at that line today, it doesn't make much sense. Does this do something
I'm not aware of? Shouldn't I have written -o ${IFACE_INT}?
Thanks in advance,
Richard Esplin
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
