Hello, Frédéric.
To block (reject) a TCP ****t $SERVICE (22 in this case) on the external
interface, try a rule like:
# iptables -I INPUT 1 -j REJECT -p tcp -s 0/0 -i $EXTERNAL_INTERFACE
--d****t $SERVICE
With your earlier rules in place, tcp ****t 22 on the internal interface
and tcp ****t 12345 on the external interface should both still work.
Best regards,
Stephen Benoit
linux@[EMAIL PROTECTED]
> Hi,
>
> I have servers with public IP addresses in a DMZ behind a firewall.
>
> The firewall has two network interface, one connected to the DMZ, the
> other to the ISP router.
>
> From local network, I can access the server via SSH on ****t 22/TCP.
>
> I would like to access the server from the outside on another ****t like
> 12345/TCP. I try to translate the SSH ****t on the firewall with a DNAT
> rule.
>
> I have these rules :
>
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp
> --s****t $UNPRIV****TS -d $SERVER --d****t 22 -m state --state NEW -j
ACCEPT
>
> iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
> --d****t 12345 -j DNAT --to-destination $SERVER:22
>
> With these rules I can access the server on ****ts 22/TCP and 12345/TCP.
>
> How I can ensure that access will possible only on ****t 12345/TCP and
> not on ****t 22/TCP ?
>
>
> Regards.
> --
> ==============================================
> | FRÉDÉRIC MASSOT |
> | http://www.juliana-multimedia.com
|
> | mailto:frederic@[EMAIL PROTECTED]
|
> ===========================Debian=GNU/Linux===
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@[EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@[EMAIL PROTECTED]
>
>
>
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@[EMAIL PROTECTED]
a subject of "unsubscribe". Trouble? Contact
listmaster@[EMAIL PROTECTED]
|
