I need to redirect a port to another one, but also close the original port for external users.

Until now, I've done that by blocking the original port with iptables, and a small utility called portfwd to redirect it (portfwd.sourceforge.net)

Works well, but portfwd takes up memory for each port redirection (1 instance / redirection) and it uses processor resources.

Doing it with iptables works using this command as long as both sourcePort and destPort are open:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport sourcePort -j REDIRECT --to-ports destPort

If the following command is added to prevent direct access to destPort from outside, it also blocks the redirected access.

/sbin/iptables -A INPUT -p tcp --dport destPort -j DROP

I then tried this, but it did not work any better:

/sbin/iptables -A INPUT -p tcp --sport sourcePort --dport destPort -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport destPort -j DROP

---

So, my question is, how can direct external access to the destination port be blocked while not preventing it from the source port ?


Any ideas ?

I am very confused by the word "original" in your 1st sentence. I took it to mean the 1st port mentioned, "a port", not the 2nd, "another one". This led me to wonder how you could both block & forward a given port.

After re-reading your post a couple of times, I think you are trying to change the port for some service that doesn't have an option to do that. For instance, if ssh didn't have a "-p" option & you wanted to run it on port 2000 instead of the normal port 22.

What happens if you change: to:

Leave: intact.

The key is to block only external, i.e. eth0, not all access.