Re: DNAT TCP 12345 -> 22

[Frédéric Massot <frederic@juliana-multimedia.com>]

Márcio H. Parreiras wrote:
> Try the rules below, simple and clean:
>
> EXT_IF='eth1'    # the interface connected to Internet
> SERVER='192.168.0.1 <http://192.168.0.1>'    # or any else IP allocated 
> to machine
> SSH='22'
> SSH_SERVER='12345'    # or another port you want
> $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $SSH_SERVER -j 
> DNAT --to $SERVER:$SSH
> $IPTABLES -t filter -A FORWARD -i $EXT_IF -p tcp --dport $SSH -d $SERVER 
> -j ACCEPT
>
> note: server's sshd may listen on port 22 only.

Hi,

I think your rules correspond to mine :

iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp 
--sport $UNPRIVPORTS -d $SERVER --dport 22 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER 
--dport 12345 -j DNAT --to-destination $SERVER:22

The problem is that it opens the ports 22 and 12345 to the server.

Regards.
--
==============================================
|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
===========================Debian=GNU/Linux===