0

I want to make post- and prerouting rules to allow the following: I have an ssh server running on the internal network at port 22 that I want to make available externally on say port 2200. How would I proceed to make this possible?

I have the following prerouting rule, but I suspect I need to somehow counter the port 22 data from the internal IP and send it to 170 on the firewall (192.168.0.1), while still making it available internally on 22 port using postrouting. I tried the below at no luck.

Prerouting:
tcp dport 2200 dnat to 192.168.0.2:22

Postrouting (does not work!)
ip saddr 192.168.0.2:22 ip daddr != 192.168.0.1/24 tcp dport 22 counter dnat to 192.168.0.1:2200

Any help is greatly appreciated!

Henrik_er
  • 23
  • 1
  • 4
  • 1
    You wont need a postrouting rule to do the opposite. You will need to make sure you're not filtering 22 in the forwarding table and ensure you have packet forwarding enabled. – Matthew Ife Nov 05 '20 at 15:18
  • Already have forwarding enabled. Not filtering 22, but do have ssh server running on 22 on the firewall. Any way to work around this? Having both available on 22 on the internal network, while exposing the internal @ 2200 externally? – Henrik_er Nov 05 '20 at 15:22
  • 1
    I'm not sure I understand the question correctly. Can you provide additional information in the question? 1/ insure that no iptables-legacy is in use 2/ give all nftables rules: `nft list ruleset` 3/ give the addresses and routes in use on the firewall (feel free to obfuscate a public side) 4/ are you concerned by a single ssh server running on 192.168.0.2 or are you concerned by multiple ssh servers? If more than one, can you give more details? 5/ explain what is port 170, it doesn't appear to have any relation to other settings or to port 2200. – A.B Nov 05 '20 at 20:24

0 Answers0