FW: DNAT SSH

Alistair Reay Alistair.Reay at tvnz.co.nz
Fri Feb 1 04:00:26 UTC 2008 

> ________________________________
> 
> From: Geofrey Rainey
> Sent: Thursday, 31 January 2008 1:13 p.m.
> To: 'netfilter at vger.kernel.org'
> Subject: DNAT SSH
> 
> 
> Hello,
>  
> I would like to obscure the SSHD listening port from 22 to another, 
> but allow
> 22 access from the local subnet.
>  
> Described succinctly, this is what I think I need:
>  
>  
> NAT PREROUTING chain:
>  
> 1. -s anywhere --dport 5000 -j DNAT --to-destination :22
>  
> FILTER INPUT chain:
>  
> 2. -s subnet --dport 22 -j ACCEPT
>  
> 3. all others -j REJECT
>  
> The problem is the packet arrives on 5000 and is natted to 22 
> correctly (1. - all good so far), but because its source IP is not the

> local subnet (defined in 2.), it is rejected in the filter INPUT chain

> (3).
>  
> So I'm think something like the following:
>  
> a. can the packet bypass the INPUT filter chain?
> b. how can I identify my natted packet within the INPUT filter chain 
> and thus ACCEPT it?
>  

>I think the simplest solution is to get sshd to listen on both ports.
No >need for complicated NATting or other fancy >stuff. Once sshd is
listening >to both ports you can restrict port 22 to the subnet using
iptables, and >leave port 5000 >open.

>To get sshd to listen to multiple ports use two Port options in
>/etc/sshd_config, i.e. two lines, one with "Port 22" and another with
"Port >5000".

>This is what I do, and it works.

--
>Nigel Wade


That's a nice clean solution.
If you want to use iptables exclusively, this configuration will work
for you. You will need to load the iptables modules 'xt_CONNMARK'.

#this marks the packet for you. You need to do this because after the
DNAT, the filter's input table can't distinguish between someone who
comes directly to tcp/22 and someone who has been DNAT'd to tcp/22.
$iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 2200 -j CONNMARK
--set-mark 0x1

#this is the actual DNAT
$iptables -t nat -A PREROUTING -d ${machine_ip} -p tcp -m tcp --dport
5000 -j DNAT --to-destination ${machine_ip}:22

#we want to allow the marked packets in because they have been DNAT'd
from our 'secret' port.
$iptables -t filter -A INPUT -p tcp -m connmark --mark 0x1 -j ACCEPT

#now just some standard allow/deny stuff to allow your subnet in and
everyone keep everyone else out
$iptables -t filter -A INPUT -s ${local_subnet} -p tcp -m tcp --dport 22
-j ACCEPT 
$iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j DROP

I tested this out and it all works fine.

Cheers
Al





		
	 Alistair Reay
Senior Systems Engineer
D. 64 9 916 7937
M. 64 21 514 085
alistair.reay at tvnz.co.nz
	
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz 
==========================================================
CAUTION:  This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s).  This information
is not to be used or stored by any other person and/or organisation.

More information about the redhat-list mailing list