forward ssh

serii · 04-30-2005, 05:35 AM

i have one router to configure (freebsd) with real ip xxx.xxx.xxx.xxx
before this comp i have one gateway (fedora) (for lan)
i need ssh connection to BSD, but linux gateway block it

________________________|-----others
internet-->LINUX GATEWAY |
________________________|-my BSD router (real ip)

in ip_tables (linux) i have rules:
/sbin/iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 22 -j DROP
/sbin/iptables -A FORWARD -p TCP -s 0/0 -d xxx.xxx.xxx.xxx --dport 0:1024 -j DROP

i've decided to change that rule in:

--------Start-of-file-----------------
.
.
/sbin/iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 22 -j DROP
.
.
/sbin/iptables -A FORWARD -p TCP -s 0/0 -d xxx.xxx.xxx.xxx --dport 0:21 -j DROP
/sbin/iptables -A FORWARD -p TCP -s 0/0 -d xxx.xxx.xxx.xxx --dport 23:1024 -j DROP
/sbin/iptables -A FORWARD -p TCP -s 0/0 -d xxx.xxx.xxx.xxx --dport 22 -j ALLOW
.
.
-----------end-of-file-------------
that will work?

nhs · 05-01-2005, 02:41 PM

It should but why not use

Code:

iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A FORWARD -p tcp -d xxx.xxx.xxx.xxx --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -d xxx.xxx.xxx.xxx --dport 0:1024 -j DROP

As that is (to my mind) cleaner. Also I can't help wondering why you're not blocking UDP, the high ports on xxx.xxx.xxx.xxx or any ports other than 22 on the gateway.