1,234
edits
Changes
→Port forwarding SSH
** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source>
** allow forwarding to www (or just remove default reject rule)<source>iptables -I D FORWARD -p tcp --dport 22 -d 10.3.45.11 -j ACCEPT</source>** don't recheck existing forwarded connections, including replies to accepted traffic <source>iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT1</source>
** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>
** trubleshooting <source>iptables -I FORWARD -j LOG
tail -f /var/log/messages </source>
** resulting firewall looks like this:<source>[root@router ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@router ~]# [root@router ~]# iptables -t nat -L -n-t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
</source>
* kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1
* aws:
** allow access to port 2211 in security group
** disable source/dest check for router in aws console(might not be necessary)* Save the iptables rules when it looks like they're working.
~. will break out of locked up ssh session