[2024-05-30 10:03] Florian Westphal:
You cannot redirect once the first packet has been processed.
…
Rule above accepts the packet with SSH string in the payload.
tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"
... and this matches the initial SYN packet.
[2024-05-30 10:18] Valentijn Sessink:
You're trying to match information that is not yet available.
The first tcp/dst 22 packet will not match any of your @ih packets,
because it's just a SYN without payload:
…
... but it *will* match this one:
tcp dport 22 accept comment "allow ssh"
And afterwards, packets will be accepted based on the "ct state
established" rule at the beginning of your script and not hit any
further rules.
As your @ih information will only be available in an established
connection (i.e. packet number 3 or so), it will never be reached.
Also, as Florian says:
- you cannot redirect a connection to another port once it has already
been established;
- while at the same time, you cannot distinguish between SSH or HTTPS
without having an established connection.
Argh, you're right, I forgot about the SYN/ACK handshake. 🙈
Thanks a lot to both of you for the explanation! :)
I have found a way to use nginx to demultiplex SSH and TLS/HTTPS on the
same port, and I'm even able to pass the original client IP using the
PROXY protocol, but only for the TLS/HTTPS stuff.
The only detail left is figuring out how to pass the original client IP
to OpenSSH, which doesn't support the PROXY protocol. Apparently, even
that should be possible by using the "transparent" parameter with nginx'
"proxy_bind" directive, but that's probably not a topic for the
netfilter mailing list.
Regards
Pascal
