Talk About Network

Google





Software > Linux Debian Maint Firewall > Re: DNAT TCP 12...
Latest [ Topics | Posts ] Archive Post A New Topic Post a Reply
<< Topic < Post Post 10 of 13 Topic 1561 of 1645
 Post > Topic >>

Re: DNAT TCP 12345 -> 22

by =?ISO-8859-1?Q?Fr=E9d=E9ric_Massot?= <frederic@[EMAIL PROTECTED] Mar 21, 2008 at 12:50 PM

Chris Henry wrote:
> On Fri, Mar 21, 2008 at 2:44 AM, Frédéric Massot
> <frederic@[EMAIL PROTECTED]
> wrote:
>> Hi,
>>
>>  I have servers with public IP addresses in a DMZ behind a firewall.
>>
>>  The firewall has two network interface, one connected to the DMZ, the
>>  other to the ISP router.
>>
>>   From local network, I can access the server via SSH on ****t 22/TCP.
>>
>>  I would like to access the server from the outside on another ****t
like
>>  12345/TCP. I try to translate the SSH ****t on the firewall with a DNAT
rule.
>>
>>  I have these rules :
>>
>>  iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p
tcp
>>  --s****t $UNPRIV****TS -d $SERVER --d****t 22 -m state --state NEW -j
ACCEPT
>>
>>  iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
>>  --d****t 12345 -j DNAT --to-destination $SERVER:22
>>
>>  With these rules I can access the server on ****ts 22/TCP and
12345/TCP.
>>
>>  How I can ensure that access will possible only on ****t 12345/TCP and
>>  not on ****t 22/TCP ?
> Do you set default policy for INPUT (and possibly FORWARD if you don't
> want any connection to be forwarded to internal LAN) to be
> DROP/REJECT? With default policy, as long as you don't specify any
> rule, it will be dropped/rejected.
> 
> iptables -P INPUT DROP
> iptables -P FORWARD DROP

Hi,

All chains have DROP policy on table filter, I open only the necessary 
****ts.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

Is it that I should put policy DROP on the tables nat and mangle ?

Regards.
-- 
==============================================
|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com
     |
|   mailto:frederic@[EMAIL PROTECTED]
   |
===========================Debian=GNU/Linux===


-- 
To UNSUBSCRIBE, email to debian-firewall-REQUEST@[EMAIL PROTECTED]
 a subject of "unsubscribe". Trouble? Contact
listmaster@[EMAIL PROTECTED]




 13 Posts in Topic:
DNAT TCP 12345 -> 22
 =?ISO-8859-15?Q?Fr=E9d=E9  2008-03-20 20:30:18 
Re: DNAT TCP 12345 -> 22
 Ansgar -59cobalt- Wiecher  2008-03-20 22:10:12 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:20:09 
Re: DNAT TCP 12345 -> 22
 Ansgar -59cobalt- Wiecher  2008-03-21 14:50:12 
Re: DNAT TCP 12345 -> 22
 "Stephen Benoit (Lin  2008-03-20 22:40:11 
Re: DNAT TCP 12345 -> 22
 "=?ISO-8859-1?Q?M=E1  2008-03-21 00:50:12 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:40:18 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:40:10 
Re: DNAT TCP 12345 -> 22
 "Chris Henry" &  2008-03-21 13:20:12 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-1?Q?Fr=E9d=E9r  2008-03-21 12:50:11 
Re: DNAT TCP 12345 -> 22
 Pascal Hambourg <pasca  2008-03-21 14:00:26 
Re: DNAT TCP 12345 -> 22
 =?ISO-8859-15?Q?Fr=E9d=E9  2008-03-21 20:50:24 
Re: DNAT TCP 12345 -> 22
 Paolo <oopla@[EMAIL PR  2008-03-21 23:30:11 

Post A Reply:
  Go here to Signup

AddThis Feed Button


About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
Contact
localhost-V2008-12-19 Wed Jan 7 15:33:16 PST 2009.