Thank you Andrew for your answer to the bonus question. I do have a default
DROP rule and explicitly open up IFACE_EXT to IFACE_INT elsewhere in my
script. I probably added the two types of rules at different times.
As for your suggestion on the main goal of redirecting 2022 on the EXT_IP to
22 on INT_IP, I haven't been able to get it to work.
Here is what I tried:
${IPTABLES} -A FORWARD -i ${IFACE_EXT} -p tcp --dport 22 -j ACCEPT
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 22 -j DROP
${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
REDIRECT --to 22
Complains that DROP on the NAT table is deprecated. Even ignoring the warning,
I can't connect. PREROUTING appears to be a NAT specific chain, as I couldn't
use it on the default table.
I also tried replacing the second line with:
${IPTABLES} -A INPUT -i ${IFACE_EXT} -p tcp --dport 22 -j DROP
But still couldn't connect on 2022.
Any other ideas?
Richard
On Monday 20 April 2009 13:48:32 Andrew McNabb <amcn...@mcnabbs.org> wrote:
> On Mon, Apr 20, 2009 at 01:38:23PM -0600, Richard Esplin wrote:
> > Current relevant rules:
> > # Open up these external ports: SSH=2022, HTTP=80, HTTPS=443, SMTP=25
> > ${IPTABLES} -A INPUT -i ${IFACE_EXT} -d ${IPADDR_EXT} -p tcp -m
> > multiport --destination-port 2020,25,80,443 -m state --state NEW -j
> > ACCEPT # Allow connections coming from inside
> > ${IPTABLES} -A INPUT -m state --state NEW -i ! ${IFACE_EXT} -j ACCEPT
> >
> > Current Attempts:
> > ${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j
> > REDIRECT --to 22
> >
> > This works as long as I add port 22 to the above ACCEPT statement, but
> > that would defeat the purpose.
>
> I think the problem is that nat is changing the destination port before
> it ever looks at the forwarding rules. Could you add a forwarding rule
> that allows port 22 to be forwarded and then add a prerouting rule to
> block port 22? I think this would work, but there might be a better
> way.
>
> > _Bonus Question_
> > When I first wrote this script a couple of years ago, I put this line in:
> > # Don't forward from the outside to the inside.
> > ${IPTABLES} -A FORWARD -i ${IFACE_EXT} -o ${IFACE_EXT} -j REJECT
> >
> > Looking at that line today, it doesn't make much sense. Does this do
> > something I'm not aware of? Shouldn't I have written -o ${IFACE_INT}?
>
> It's just trying to make it so external traffic can't somehow hop
> through your router. I would prefer to make a default REJECT rule and
> specifically open up forwarding from IFACE_EXT to IFACE_INT, but it's
> the same idea.
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
