iptables port forwarding


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Old 04-04-2018
iptables port forwarding

Hello All,
I would like to ask you very kindly with /etc/sysconfig/iptables file

I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated.

My boss require that there will not be any possibility of connection from private network to any remote network behind RHEL6 router

I am not able to DROP any traffic coming from private network.

I did setup port forwarding on router from public network to private network easily but I am not able to force router to drop any traffic coming from private network outside unless I break port forwarding.

here is example of my /etc/sysconfig/iptables file. Please help with line which would drop all outgoing traffic from private network but keep port forwarding working.

Code:
cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
-A INPUT -p all -j DROP
#
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 192.168.0.3:22
COMMIT

BTW: (ssh on router is running on port 2222)


Moderator's Comments:
Mod Comment Please use CODE tags as required by forum rules!

Last edited by RudiC; 04-04-2018 at 10:38 AM.. Reason: Added CODE tags.
# 2  
Old 04-04-2018
Without dwelling into configuration...

If you allow access from outside network to private network via ssh protocol, there is little you can do to stop tunneling around.

This might sound strange but have you considered not giving ssh access ?
Think about what your are doing and can it be done on a higher layer (HTTPS, FTPS) to expose one port and application behind, not ssh and shell.

Regards
Peasant.
# 3  
Old 04-04-2018
Hello Peasant,

Thank you very much for your answer.

I have no room for thinking what I am doing. This is direct order from my manager which I have to deliver. There is no room to ask questions etc.

I would like to ask you very kindly for a line which I can stick to /etc/sysconfig/iptables file so port forwarding will keep working but servers in private network will not be able to reach any other network.

Concerns with ssh tunneling etc is not my concern - I have to deliver only this isolated task.

Please help.
Thanks.
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Port Forwarding not working pokhraj_d IP Networking 2 10-05-2017 10:10 AM
Help on port forwarding please.. magnus29 UNIX for Advanced & Expert Users 1 03-17-2016 05:59 PM
Port forwarding issue mhs IP Networking 1 11-30-2013 09:01 PM
Iptables, port forwarding, 64k connection limit? jtipp3tt UNIX for Dummies Questions & Answers 1 05-18-2013 05:02 AM
iptables port forwarding does not work while I have 2 routes ashokvpp IP Networking 5 03-14-2013 02:34 PM
Ftp over SSH port forwarding hanyunq IP Networking 3 02-18-2013 04:51 AM
Iptable and port forwarding tapharule UNIX for Advanced & Expert Users 2 12-10-2012 03:55 AM
port forwarding from unix to windows thearpit UNIX for Advanced & Expert Users 1 05-09-2011 05:07 AM
SSH Port Forwarding - sharing the same port regmaster IP Networking 3 05-03-2010 06:41 PM
ip and port forwarding in Solaris 10 ppereira Solaris 0 12-24-2009 01:05 AM
Port/IP Forwarding in Solaris 10.0 vikas027 Solaris 6 10-18-2009 06:59 AM
Port forwarding slash_blog UNIX for Advanced & Expert Users 2 06-20-2008 08:29 AM
Port/ IP Forwarding AIX5.3 Husam AIX 1 03-26-2008 05:34 AM
port forwarding imloaded24_7 UNIX for Advanced & Expert Users 1 11-21-2006 11:36 AM
iptables: forwarding a port meeps UNIX for Dummies Questions & Answers 1 11-23-2003 03:37 AM