Assuming your internal systems have working Internet access as-is through some other POSTROUTING rule, there is no need for any POSTROUTING rule specific to this project. Its only purpose is to convince your sshd that all connections are initiated from the router, which is at best a lie that will reduce the value of your logs and at worst a security problem, since it prevents the sshd from applying any source-based restrictions. If you can't assume that, drop the -d 192.168.1.1 and leave the rest of the rule. This assumes that your public IP is sufficiently predictable that you can put it in the rule and not need to update it routinely. I like putting a destination qualifier on the rewrite rule as a secondary check that it not match odd traffic. ![]() Incorporating the interface criticism, I would rewrite this as: Code: d is a matcher, not a rewriter, so you are saying that if the destination is already correct (which it should not be, unless someone on the Internet is doing something very odd and your ISP plays along), then engage the DNAT target and do no rewrites, because you didn't tell DNAT what to do. You cannot use a :port qualifier with -d. According to the documentation, that rule should not even parse correctly. The rule as written is incorrect relative to your stated intent. I would add the interface qualifier like he suggested. Hardening sshd now, before bots attack it, is less stressful than dealing with the attacks once they begin. Even with the alternate port you propose below, you are likely to get a large number of attack attempts. I want to ssh from internet to a server running behind home routerīefore you make this work, review the configuration of the interior sshd to ensure it is adequately hardened. Posted: Fri 2:11 am Post subject: Re: iptables port forwarding on a router Where 92.xx.x.x is the public facing IP, right? ![]() Only it would be only me connecting to said server using that port which is a standard ssh port, so I guess in this case I should skip -sport option, is that right?Īlso, those eth0 - we are talking on interfaces on the server in pre and postrouting, is that correct? Thank you for that explanation, it slowly becomes more clear. There is no need to alter "remote" end's IP for the client, because it will route via your router by default anyway.Īnother thing you might need is an ACCEPT rule in the FORWARD chain. Also, it should be -sport in POSTROUTING in your case, since it's meant to match packets going from your sever in LAN to a client somewhere over the internet and you don't know his randomly chosen port at the time of creating those rules. ![]() Not limiting by interfaces (or otherwise distinguishing between lan and wan traffic) will come at you and bite you at some point when you don't expect it. Postrouting: if packet comes to router's private interface, change source IP to your router's public IP Prerouting: if packet comes to router's public interface, change destination to your client Or should I rather use -to-destination and -to-source instead of -d and -s options? I'm a noob if it comes to iptables.Īssuming router address is 192.168.1.1 and server behind it 192.168.1.100, would adding those rules on the router be ok? Or am I supposed to use 'outside' IP rather than internal one for the router address?: I want to ssh from internet to a server running behind home router running OpenWrt. Posted: Thu 2:17 pm Post subject: iptables port forwarding on a router Gentoo Forums Forum Index Networking & Security Gentoo Forums :: View topic - iptables port forwarding on a router
0 Comments
Leave a Reply. |