127.0.0.1:22
When you DNAT, that puts the packet on the FORWARD chain, not the INPUT chain, so you that's where you ACCEPT rule needs to be. Remember that you also need to ACCEPT the packets going back out (also on the FORWARD chain) unless you already have a state ESTABLISHED rule covering them.
with the following rules:
iptables -A INPUT --protocol tcp --dport 2222 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination
127.0.0.1:22"ssh -p 2222 " doesn't go through and nmap shows port 2222 as being filtered (from within the DMZ). how can i open up the port?
thanks.
--to-destination 127.0.0.1:22
that's how it was originally, but was trying to change the public port. i figured it out. i just needed to change.
iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination
127.0.0.1:22to
iptables -t nat -A PREROUTING -p tcp -d --dport 2222 -j DNAT
--to-destination :22
thanks.
127.0.0.1:22
Change the INPUT rule to --dport 22 and it should work. The DNAT rule changes the port in the PREROUTING table, and because of the way the packets traverse the chains the table FILTER and the chain INPUT goes after that, so the packet has destination port 22 when it hits the INPUT rule.
Regards.
127.0.0.1:22
I'm not sure about this, but if you see the original post the destination IP was 127.0.0.1, and that's the firewall IP, so if the routing decision it's made after the DNAT it's done, then, what chain does the packet use? INPUT or FORWARD?
I've checked the Iptables-tutorial but I don't know what happens for sure.
Regards.
127.0.0.1:22
Looks like you're trying to change SSH's access port to 2222. If so, you're doing it the hard way. Change the port in SSH's config file, and keep the above INPUT rule and delete the nat rule.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.