Bill Hendrickson a écrit : >> In the FORWARD chain the destination port has already been changed by >> the DNAT rule just like the destination address, so this rule must match >> on destination port 22, not on the original destination port. > > So you're saying it needs to be this? > > $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST > --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT Correct. > For now, I've actually got it like this (which is working, but I > should lock it down): > > -A FORWARD -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT This is much too permissive, it allows any connection through the router. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html