Hello,
Frédéric Massot a écrit :
>
> I have servers with public IP addresses in a DMZ behind a firewall.
>
> The firewall has two network interface, one connected to the DMZ, the
> other to the ISP router.
>
> From local network, I can access the server via SSH on ****t 22/TCP.
What local network ?
> I would like to access the server from the outside on another ****t like
> 12345/TCP. I try to translate the SSH ****t on the firewall with a DNAT
> rule.
>
> I have these rules :
>
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -p tcp
> --s****t $UNPRIV****TS -d $SERVER --d****t 22 -m state --state NEW -j
ACCEPT
>
> iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp -d $SERVER
> --d****t 12345 -j DNAT --to-destination $SERVER:22
>
> With these rules I can access the server on ****ts 22/TCP and 12345/TCP.
>
> How I can ensure that access will possible only on ****t 12345/TCP and
> not on ****t 22/TCP ?
There are several available methods, all involving some action in the
PREROUTING chains before the DNAT rule is reached, because after it is
too late.
1) Drop packets to $SERVER:22 in mangle/PREROUTING or raw/PREROUTING
(the latter requires a kernel >= 2.6.6). Not my preferred method, as
packet filtering is not the primary purpose of the mangle and raw
tables, and they do not sup****t the REJECT target.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --d****t 22 -j DROP
2) Mark packets to $SERVER:22 in mangle/PREROUTING and drop or reject
the marked packets in filter/FORWARD before the ACCEPT rule.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --d****t 22 -j MARK --set-mark 0x22
iptables -A FORWARD -m mark --mark 0x22 -p tcp \
-j REJECT --reject-with tcp-reset
3) Conversely, mark packets to $SERVER:12345 in mangle/PREROUTING and
accept only packets to $SERVER:22 with the mark in filter/FORWARD.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --d****t 12345 -j MARK --set-mark 0x12345
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d $SERVER -p tcp --d****t 22 -m mark --mark 0x12345 -j ACCEPT
4) Mark new connexions to $SERVER:12345 in mangle/PREROUTING and accept
only packets to $SERVER:22 with the connection mark in filter/FORWARD.
Requires kernel >= 2.6.10 or with the connmark patch.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-m state --state NEW -p tcp --d****t 12345 \
-j CONNMARK --set-mark 0x12345
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d $SERVER -p tcp --d****t 22 -m connmark --mark 0x12345 -j ACCEPT
5) DNAT connections to $SERVER:22 in nat/PREROUTING to whatever
destination you want and drop/reject them in FORWARD or INPUT depending
whether the new destination is local or remote. Not my preferred method.
6) Skip connection tracking on packets to $SERVER:22 in raw/PREROUTING
with the NOTRACK target. The packets will have the UNTRACKED state, so
you can drop or reject packets matching that state in filter/FORWARD.
Requires a kernel >= 2.6.6. Not my preferred method either.
iptables -t raw -A PREROUTING -i $EXTERNAL_INTERFACE -d $SERVER \
-p tcp --d****t 22 -j NOTRACK
iptables -A FORWARD -m state --state UNTRACKED \
-p tcp -j REJECT --reject-with tcp-reset
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@[EMAIL PROTECTED]
a subject of "unsubscribe". Trouble? Contact
listmaster@[EMAIL PROTECTED]
|
