Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
iptables forwarding a specific SSH connection
Is anyone able to help me with the iptables syntax to achieve the following results?
Ok here we go .... I have a server that only accepts ssh connections on the default port ie 22. I want to be able to forward *some* of the ssh connections to a remote server , this remote server is not on the same network its an extermal box on the internet.
I have searched around for a solution and this is the best I can come up with...
iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 184.108.40.206 --dport 22 -m state --state NEW -j ACCEPT
My problem with the above command is that this will forward all connections on port 22 to the 220.127.116.11 (external server) whereas I only want to forward specific IP addresses and/or subnets .
is there a way of specifying the source IP (18.104.22.168) of the connection? will me below example work??
eg iptables -A FORWARD -s 22.214.171.124-p tcp -i eth0 -o eth0 -d 126.96.36.199 --dport 22 -m state --state NEW -j ACCEPT
- Join Date
- Jan 2007
Forward some ssh connection to a remote server
One solution could be, like this:
Source (you) = 188.8.131.52
Public IP (firewall) = 193.x.x.x
Destination 1 = 184.108.40.206
Destination 2 = 220.127.116.11
iptables -t nat -A PREROUTING -p TCP -s 18.104.22.168 -d 193.x.x.x --dport 22 -j DNAT --to-destination 22.214.171.124:22
iptables -t nat -A PREROUTING -p tcp -d 193.x.x.x --dport 22 -j DNAT --to-destination 126.96.36.199:22
First rule route you to destination 1.
Second rule route everyone else to destination 2.
Hope this helps.
thanks for the reply .... I have read the chain rule and this looks like what I need exactly!
I am new to iptables so excuse if this question is dumb but is using the FORWARD chain used for routing packets to box internally whereas you have used the PREROUTING chain to change the packet as it comes in ... could you just clarify how the firewall will then send the packet to its new destination? does it automaticallly send the packet??
- Join Date
- Jan 2007
CHAINS are then associated with each table. Chains are lists of rules within a table, and they are associated with "hook points" on the system, i.e. places where you can intercept traffic and take action. Here are the default table/chain combinations:
FILTER: Input, Output, Forward
NAT: Prerouting, Postrouting, Output
MANGLE: Prerouting, Postrouting, Input, Output, Forward
Here's when the different chains do their magic:
PREROUTING: Immediately after being received by an interface.
POSTROUTING: Right before leaving an interface.
INPUT: Right before being handed to a local process.
OUTPUT: Right after being created by a local process.
FORWARD: For any packets coming in one interface and leaving out another.
In other words, if you want to process packets as they leave your system, but without doing any NAT or MANGLE(ing), you'll look to the OUTPUT chain within the FILTER table. If you want to process packets coming from the outside destined for your local machine, you'll want to use the same FILTER table, but the INPUT chain. See the image below for a visual representation of this.
I got this info from (here's some more reading, cool site ): http://dmiessler.com/study/iptables/