open SSH port (22) to internet with different port number (10022)

enihcam · 2015-01-07 05:07:59

I'm new to iptables. and I followed instructions in Archlinux wiki for opening SSH port (22) of my router to incoming connections with different port number (10022)

https://wiki.archlinux.org/index.php/Si … onnections
https://wiki.archlinux.org/index.php/Si … TING_chain

It doesn't work. Here are the commands I entered after router is set up:

iptables -A TCP -p tcp --dport 10022 -j ACCEPT
iptables -A fw-open -d 192.168.1.1 -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to 192.168.1.1:22

but simply opening port 22 works

iptables -A TCP -p tcp --dport 22 -j ACCEPT

Any ideas?

enihcam · 2015-01-07 13:48:15

Here's my iptables configuration:

# Generated by iptables-save v1.4.21 on Tue Jan  6 07:53:29 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Jan  6 07:53:29 2015
# Generated by iptables-save v1.4.21 on Tue Jan  6 07:53:29 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlp1s0 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A fw-interfaces -i wlp1s0 -j ACCEPT
COMMIT
# Completed on Tue Jan  6 07:53:29 2015

Trilby · 2015-01-07 13:50:07

Pardon my ignorance on this - I've never used iptables, but I have used openSSH: is there a reason not to just change the SSH config to listen on a different port? That is very easy to do.

enihcam · 2015-01-07 15:44:13

Trilby wrote:

Pardon my ignorance on this - I've never used iptables, but I have used openSSH: is there a reason not to just change the SSH config to listen on a different port? That is very easy to do.

From internal network, the port is 22; from external it needs to be redirected from 10022. Changing the listening port does not apply to this scenario.

aiBo · 2015-01-07 16:29:17

As you do redirection via PREROUTING chain in the nat table, you have to open port 22 in the INPUT chain of the filter table.

This image might help: http://xkr47.outerspace.dyndns.org/netf … _flow9.png

So, adding these rules to the ruleset you posted should work:

iptables -I TCP -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to 192.168.1.1:22

Last edited by aiBo (2015-01-07 16:39:09)

mcloaked · 2015-01-07 17:31:57

enihcam wrote:

I'm new to iptables. and I followed instructions in Archlinux wiki for opening SSH port (22) of my router to incoming connections with different port number (10022)
https://wiki.archlinux.org/index.php/Si … onnections
https://wiki.archlinux.org/index.php/Si … TING_chain
It doesn't work. Here are the commands I entered after router is set up:
iptables -A TCP -p tcp --dport 10022 -j ACCEPT
iptables -A fw-open -d 192.168.1.1 -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to 192.168.1.1:22
but simply opening port 22 works
iptables -A TCP -p tcp --dport 22 -j ACCEPT
Any ideas?

Is the incoming stream coming in via a router? If so then is port forwarding in the router not a possibility so that the external ssh session aimed at the external address of your system gets directed at the specific machine within your LAN with port 10022 on the outside and port 22 on the inside? Or is the ssh connection being made directly to your machine exposed directly to the WAN?

enihcam · 2015-01-07 23:41:38

aiBo wrote:

As you do redirection via PREROUTING chain in the nat table, you have to open port 22 in the INPUT chain of the filter table.
This image might help: http://xkr47.outerspace.dyndns.org/netf … _flow9.png
So, adding these rules to the ruleset you posted should work:
iptables -I TCP -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to 192.168.1.1:22

will this rule expose port 22 to internet?

enihcam · 2015-01-07 23:44:24

mcloaked wrote:

enihcam wrote:
I'm new to iptables. and I followed instructions in Archlinux wiki for opening SSH port (22) of my router to incoming connections with different port number (10022)
https://wiki.archlinux.org/index.php/Si … onnections
https://wiki.archlinux.org/index.php/Si … TING_chain
It doesn't work. Here are the commands I entered after router is set up:
iptables -A TCP -p tcp --dport 10022 -j ACCEPT
iptables -A fw-open -d 192.168.1.1 -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to 192.168.1.1:22
but simply opening port 22 works
iptables -A TCP -p tcp --dport 22 -j ACCEPT
Any ideas?
Is the incoming stream coming in via a router? If so then is port forwarding in the router not a possibility so that the external ssh session aimed at the external address of your system gets directed at the specific machine within your LAN with port 10022 on the outside and port 22 on the inside? Or is the ssh connection being made directly to your machine exposed directly to the WAN?

yes, I wanted to visit SSH via only 10022 from the outside, and 22 from the inside. the SSH is on router itself, not machine within my LAN.

owain · 2015-01-08 00:16:21

enihcam wrote:

yes, I wanted to visit SSH via only 10022 from the outside, and 22 from the inside. the SSH is on router itself, not machine within my LAN.

You can specify various IPs and ports with multiple ListenAddress entries in sshd_config, which maybe will do the job?

Last edited by owain (2015-01-08 00:16:39)

aiBo · 2015-01-08 07:10:18

enihcam wrote:

aiBo wrote:
As you do redirection via PREROUTING chain in the nat table, you have to open port 22 in the INPUT chain of the filter table.
This image might help: http://xkr47.outerspace.dyndns.org/netf … _flow9.png
So, adding these rules to the ruleset you posted should work:
iptables -I TCP -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to 192.168.1.1:22
will this rule expose port 22 to internet?

Yes it would, as I forgot to add a directive to the rule for the TCP chain.
If you restrict this one to the internal IP, port 22 is directly accessible from within your LAN and only via redirection from the internet.

Fixed rules:

iptables -I TCP -p tcp -d 192.168.1.1 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 10022 -j DNAT --to-destination 192.168.1.1:22

Edit: Fixed --to switch, with actually is --to-destination

Last edited by aiBo (2015-03-22 19:11:42)

kokoko3k · 2015-01-08 08:26:10

Isn't the Maximum TCP port 65535?
-EDIT Sorry, i misread the number... multiple times!

Last edited by kokoko3k (2015-01-08 08:27:23)

Arch Linux

#1 2015-01-07 05:07:59

open SSH port (22) to internet with different port number (10022)

#2 2015-01-07 13:48:15

Re: open SSH port (22) to internet with different port number (10022)

#3 2015-01-07 13:50:07

Re: open SSH port (22) to internet with different port number (10022)

#4 2015-01-07 15:44:13

Re: open SSH port (22) to internet with different port number (10022)

#5 2015-01-07 16:29:17

Re: open SSH port (22) to internet with different port number (10022)

#6 2015-01-07 17:31:57

Re: open SSH port (22) to internet with different port number (10022)

#7 2015-01-07 23:41:38

Re: open SSH port (22) to internet with different port number (10022)

#8 2015-01-07 23:44:24

Re: open SSH port (22) to internet with different port number (10022)

#9 2015-01-08 00:16:21

Re: open SSH port (22) to internet with different port number (10022)

#10 2015-01-08 07:10:18

Re: open SSH port (22) to internet with different port number (10022)

#11 2015-01-08 08:26:10

Re: open SSH port (22) to internet with different port number (10022)

Board footer