Re: SSH Port Forwarding with iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bill Hendrickson a écrit :
>> In the FORWARD chain the destination port has already been changed by
>> the DNAT rule just like the destination address, so this rule must match
>> on destination port 22, not on the original destination port.
> 
> So you're saying it needs to be this?
> 
> $IPT -A FORWARD -p tcp -i $EXT_IFACE -o $INT_IFACE -d $SSH_HOST
> --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT

Correct.

> For now, I've actually got it like this (which is working, but I
> should lock it down):
> 
> -A FORWARD -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

This is much too permissive, it allows any connection through the router.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux