Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    iptables forwarding a specific SSH connection

    Hi all,

    Is anyone able to help me with the iptables syntax to achieve the following results?

    Ok here we go .... I have a server that only accepts ssh connections on the default port ie 22. I want to be able to forward *some* of the ssh connections to a remote server , this remote server is not on the same network its an extermal box on the internet.

    I have searched around for a solution and this is the best I can come up with...

    iptables -A FORWARD -p tcp -i eth0 -o eth0 -d --dport 22 -m state --state NEW -j ACCEPT

    My problem with the above command is that this will forward all connections on port 22 to the (external server) whereas I only want to forward specific IP addresses and/or subnets .

    is there a way of specifying the source IP ( of the connection? will me below example work??

    eg iptables -A FORWARD -s tcp -i eth0 -o eth0 -d --dport 22 -m state --state NEW -j ACCEPT

    Any suggestions?

  2. #2

    Forward some ssh connection to a remote server

    One solution could be, like this:

    Source (you) =
    Public IP (firewall) = 193.x.x.x
    Destination 1 =
    Destination 2 =

    iptables -t nat -A PREROUTING -p TCP -s -d 193.x.x.x --dport 22 -j DNAT --to-destination
    iptables -t nat -A PREROUTING -p tcp -d 193.x.x.x --dport 22 -j DNAT --to-destination

    First rule route you to destination 1.
    Second rule route everyone else to destination 2.

    Hope this helps.

  3. #3

    thanks for the reply .... I have read the chain rule and this looks like what I need exactly!

    I am new to iptables so excuse if this question is dumb but is using the FORWARD chain used for routing packets to box internally whereas you have used the PREROUTING chain to change the packet as it comes in ... could you just clarify how the firewall will then send the packet to its new destination? does it automaticallly send the packet??


  4. $spacer_open
  5. #4

    Thumbs up

    CHAINS are then associated with each table. Chains are lists of rules within a table, and they are associated with "hook points" on the system, i.e. places where you can intercept traffic and take action. Here are the default table/chain combinations:

    FILTER: Input, Output, Forward
    NAT: Prerouting, Postrouting, Output
    MANGLE: Prerouting, Postrouting, Input, Output, Forward

    Here's when the different chains do their magic:

    PREROUTING: Immediately after being received by an interface.
    POSTROUTING: Right before leaving an interface.
    INPUT: Right before being handed to a local process.
    OUTPUT: Right after being created by a local process.
    FORWARD: For any packets coming in one interface and leaving out another.

    In other words, if you want to process packets as they leave your system, but without doing any NAT or MANGLE(ing), you'll look to the OUTPUT chain within the FILTER table. If you want to process packets coming from the outside destined for your local machine, you'll want to use the same FILTER table, but the INPUT chain. See the image below for a visual representation of this.

    I got this info from (here's some more reading, cool site ):

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts