Using iptables to make port 22 accessible through 4455 externally

Yalla-One · 04-16-2011, 11:47 AM

Hi,

Have previously moved my ssh server from 22 to 4455 just by moving the port in sshd_config. This is done to minimize the log entries resulting from brute force attacks.

However, it seems like Zimbra and other local services expect to find the ssh service locally available on port 22, so I figured it's better to move the port in the firewall so that it remains configured on port 22 in sshd_config, and instead use iptables with a nat/port rewrite to move 4455 incoming to 22 locally.

I have tried this line:

Code:

iptables -A PREROUTING -t nat -p tcp --dport 4455 -j REDIRECT --to-port 22

and then do an /etc/init.d/iptables save

Isolated this works as long as I also keep allowing port 22, but the moment I close port 22, port 4455 is also dead, which sort of defies the purpose

acid_kewpie · 04-16-2011, 01:03 PM

use dnat instead and specify a destination of 127.0.0.1 http://linux-ip.net/html/nat-dnat.html But where are you blocking port 22? The redirect would on the server would only not work if you block 22 on the server itself, which surely is not what you want? Isn't it on your firewall where you're blocking 22?

Yalla-One · 04-17-2011, 04:43 AM

Thanks much for answering! The server is colocated so there's no firewall in front of it I'm afraid. Thus the need for paranoid iptables. So the firewall is just a set of iptables running on the box itself, which is supposed to ban external incoming connections on port 22, but allow them internally on 22, and remap external from 4455 to 22 so that it is accessible from the outside over ssh...

Just to make it easy :-) Perhaps this is more iptables-specific than Fedora, and thus should be moved to firewall/security section?