forwarding ssh requests

David A. Sinck plug-discuss@lists.plug.phoenix.az.us
Tue, 20 May 2003 13:00:53 -0700


\_ SMTP quoth Liberty Young on 5/20/2003 12:49 as having spake thusly:
\_
\_ This: 
\_ /sbin/iptables -t nat  -A PREROUTING -p tcp -m tcp --dport 3022 \
\_                         -j DNAT --to-destination 192.168.0.10:22
\_ doesn't work for me. 
\_ 
\_ Here's what i have right now: 
\_ [root@athena init.d]# iptables -L 
\_ Chain INPUT (policy ACCEPT)
\_ target     prot opt source               destination         
\_ ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
\_ ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
\_ ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:3022
\_ 
\_ Chain FORWARD (policy ACCEPT)
\_ target     prot opt source               destination         
\_ ACCEPT     all  --  anywhere             anywhere           state
\_ RELATED,ESTABLISHED 
\_ DROP       all  --  anywhere             anywhere           state
\_ INVALID,NEW 

You're going to have to allow new inbound packets on your forward
chain for the relevant ports.  Probably

/sbin/iptables -I FORWARD -p tcp --dport 3022 -J ACCEPT

otherwise, it's a real short trip.

I'd probably also be inclined to change the policy on several of your
chains to DROP, but that's just me.

\_ ACCEPT     all  --  anywhere             anywhere           
\_ LOG        all  --  anywhere             anywhere           LOG level
\_ warning 
\_ 
\_ [...]


YMMV.

David