On Saturday 2013-03-16 19:27, AZ 9901 wrote: >Le 16 mars 2013 à 19:18, Jan Engelhardt a écrit : >> On Saturday 2013-03-16 18:25, AZ 9901 wrote: >>> Le 12 mars 2013 à 19:09, AZ 9901 a écrit : >>>> >>>> sslh (http://www.rutschle.net/tech/sslh.shtml) works as a protocol demultiplexer, it allows to separate SSH and HTTPS streams which arrive on the same port (443 for instance). >>>> I would like to do the same thing but with iptables only. >>>> Is it possible ? >> >> No. As the name already says, it works at the IP/Network level, >> not with upper protocols. > >Yes but I was thinking of something like that : >- use "string" module to catch the first packet of a SSH connection (looking for SSH- pattern, as sslh does in its probe.c source file) The first packet is an empty TCP SYN. >- use conntrack to follow this detected SSH connection >- redirect this detected SSH connection from port 443 to port 22 NAT mappings must be applied before any packet is forwarded, which is why the decision must happen with the first packet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
