Forcing SSH on port 80 with iptables

Hi there,
I`m having troubles trying to be able to have my host listen for SSH
connections on an IP1 on port 22 and listen at the same time on an IP2
on port 80.

Basically, the second ip address will only be used for this feature,
it has no domain name associated...

I was reading the howto for iptables for NAT, which I think is what
I need but I really dont quite understand if this would be post or pre
routing.

Can somebody give me hand on this?

Thanks,
xm

xm wrote:
> Hi there,
> I`m having troubles trying to be able to have my host listen for SSH
> connections on an IP1 on port 22 and listen at the same time on an IP2
> on port 80.
>
> Basically, the second ip address will only be used for this feature,
> it has no domain name associated...
>
> I was reading the howto for iptables for NAT, which I think is what
> I need but I really dont quite understand if this would be post or pre
> routing.
>
> Can somebody give me hand on this?
>
> Thanks,
> xm

If i undertsand this right, you want to redirect a incoming ssh
connection to IP2 on port 80 to a host port 22... it's PREROUTING.

iptables -t nat -A PREROUTING -p tcp -d IP2 --dport 80 -i ppp0 -j DNAT
--to host:22

hope that's what you wanted to know.
gimickser

Yes that is exactly it. It seems very clear with the command you have
given me, I'll be able to make a test later tonight, but I would like
to clarify a few details...

1) the option `-i ppp0` would probably be different on my host, it's a
virtual private host and networking devices are virtual devices as I
understand it. I guess I could try a tcp dump on any devices `ifconfig
-a` lists and once one of them shows infinite (exponential?) number of
packets on port 22, then I guess I would have found the device in
question... I would change ppp0 for the device name, right?

2) you specify the option `--to host:22`, but wouldn't it be better to
specify `--to IP1:22` ? Or would that cause troubles?

3) also, since I'm having trouble understanding the difference between
PRE/POST routing in term of the host's perspective, could you explain
in a few words what's the main difference?

Thanks a lot!
xm

gimickser wrote:
> xm wrote:
>
>> Hi there,
>> I`m having troubles trying to be able to have my host listen for SSH
>> connections on an IP1 on port 22 and listen at the same time on an IP2
>> on port 80.
>>
>> Basically, the second ip address will only be used for this feature,
>> it has no domain name associated...
>>
>> I was reading the howto for iptables for NAT, which I think is what
>> I need but I really dont quite understand if this would be post or pre
>> routing.
>>
>> Can somebody give me hand on this?
>>
>> Thanks,
>> xm
>
>
> If i undertsand this right, you want to redirect a incoming ssh
> connection to IP2 on port 80 to a host port 22... it's PREROUTING.
>
> iptables -t nat -A PREROUTING -p tcp -d IP2 --dport 80 -i ppp0 -j DNAT
> --to host:22

Why would you use DNAT rather than the REDIRECT target? I think that's
the intended use. What you did will work, but it may go through an extra
routing step.

--
-bill davidsen ((E-Mail Removed))
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me

(E-Mail Removed) wrote:
> Yes that is exactly it. It seems very clear with the command you have
> given me, I'll be able to make a test later tonight, but I would like
> to clarify a few details...
>
> 1) the option `-i ppp0` would probably be different on my host, it's a
> virtual private host and networking devices are virtual devices as I
> understand it. I guess I could try a tcp dump on any devices `ifconfig
> -a` lists and once one of them shows infinite (exponential?) number of
> packets on port 22, then I guess I would have found the device in
> question... I would change ppp0 for the device name, right?

That point isn't quite clear to me, but probably you are right. The
option "-i" will define the connection device where the traffic will
come in, mostly the internet connection, such as ppp0 for DSL or ippp0
for ISDN.

>
> 2) you specify the option `--to host:22`, but wouldn't it be better to
> specify `--to IP1:22` ? Or would that cause troubles?

You can specify any host. IP1, localhost or whatever.

>
> 3) also, since I'm having trouble understanding the difference between
> PRE/POST routing in term of the host's perspective, could you explain
> in a few words what's the main difference?

Prerouting will redirect incoming connections to different hosts and/or
ports,
Postrouting is a type of masquerading, so internal connections from any
client (LAN) to the internet will be routed through the firewall having
your internet-ip as return address. Your NAT-firewall then will forward
established connections to the correct client-IP.

Have a look at the iptables documantation, since your matter seems to be
more complex.

greetz
gimickser

>
> Thanks a lot!
> xm
>

Thank you very much Gimickser, you have sorted everything out in my
head!

I did play long time ago with Masquerading (when my ISP denied the use
of routers) and I definately think my SSH problem will be solved with
PREROUTING.

Thanks a lot!
xm

PS: I will read the doc, actually I've already read it... I believe the
best thing would be to try things on my own computer (without saving
changes) and see what happens... Thanks again!

Possibly that you are right, I just tried to do the command Gimickser
told me, with small tweakings and it didn't work.

First it complains that my kernel may not support NAT, might need to
recompile it or load it, etc...

Second, there was something strange in my host, if I do `ifconfig -a` I
will get a listing of 4 interfaces. The usual 'lo', then there was
'venet0' where the ip was 127.0.0.1, then 'venet0:0' with ip address
IP1 and 'venet0:1' with ip address IP2.

If I use the interface venet0:1, iptables complains that the interface
cannot contain a colon ":"... i guess I may have to contact my
sys.admins or is there a way for me to deal this myself?

Thanks!
xm

Bill Davidsen wrote:
> gimickser wrote:
>
>> xm wrote:
>>
>>> Hi there,
>>> I`m having troubles trying to be able to have my host listen for SSH
>>> connections on an IP1 on port 22 and listen at the same time on an IP2
>>> on port 80.
>>>
>>> Basically, the second ip address will only be used for this feature,
>>> it has no domain name associated...
>>>
>>> I was reading the howto for iptables for NAT, which I think is what
>>> I need but I really dont quite understand if this would be post or pre
>>> routing.
>>>
>>> Can somebody give me hand on this?
>>>
>>> Thanks,
>>> xm
>>
>>
>>
>> If i undertsand this right, you want to redirect a incoming ssh
>> connection to IP2 on port 80 to a host port 22... it's PREROUTING.
>>
>> iptables -t nat -A PREROUTING -p tcp -d IP2 --dport 80 -i ppp0 -j DNAT
>> --to host:22
>
>
> Why would you use DNAT rather than the REDIRECT target? I think that's
> the intended use. What you did will work, but it may go through an extra
> routing step.
>
Well that's true, didn't think about that though.

greetz,
gimickser

(E-Mail Removed) wrote:
> Possibly that you are right, I just tried to do the command Gimickser
> told me, with small tweakings and it didn't work.
>
> First it complains that my kernel may not support NAT, might need to
> recompile it or load it, etc...
>
> Second, there was something strange in my host, if I do `ifconfig -a` I
> will get a listing of 4 interfaces. The usual 'lo', then there was
> 'venet0' where the ip was 127.0.0.1, then 'venet0:0' with ip address
> IP1 and 'venet0:1' with ip address IP2.
>
> If I use the interface venet0:1, iptables complains that the interface
> cannot contain a colon ":"... i guess I may have to contact my
> sys.admins or is there a way for me to deal this myself?
>
> Thanks!
> xm
>

The most examples use DNAT for this matter, i don't know why. But the
following rules actually should work. Maybe the REDIRECT target will
also work, but i am not sure, just google around and you'll find the
right rules.

I also don't know, how to handle the devices. Did you try "venet0:1"?
If it doesn't work, maybe there is a possibility to create aliases for
these devices.

iptables -t nat -A PREROUTING -p tcp -i "venet0:2" -d IP2 --dport 80 -j
DNAT --to host:22

iptables -A FORWARD -p tcp -i "venet0:1" -d IP2 --dport 80 -m state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m state RELATED,ESTABLISHED -j ACCEPT

Before load the following modules (if possible)?
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_state
modprobe ip_conntrack

greetz,
gimickser

> The most examples use DNAT for this matter, i don't know why. But the

> following rules actually should work. Maybe the REDIRECT target will
> also work, but i am not sure, just google around and you'll find the
> right rules.
>
> I also don't know, how to handle the devices. Did you try "venet0:1"?
> If it doesn't work, maybe there is a possibility to create aliases
for
> these devices.

any command with a ':' in iptables result in:
Warning: wierd character in interface `venet0:1' (No aliases, :, ! or
*).

> iptables -t nat -A PREROUTING -p tcp -i "venet0:2" -d IP2 --dport 80
-j
> DNAT --to host:22
>
> iptables -A FORWARD -p tcp -i "venet0:1" -d IP2 --dport 80 -m state
> NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p tcp -m state RELATED,ESTABLISHED -j ACCEPT
>
> Before load the following modules (if possible)?
> modprobe ip_tables
> modprobe iptable_filter
> modprobe iptable_nat
> modprobe ipt_state
> modprobe ip_conntrack

Hmmm, how would I do that? I tried looking for modprobe, `slocate
modprobe` did have any results...

Thanks!
xm