Hi, I am learning IPTables have this question.
My server is behind a firewall that does a PAT & NAT to the LAN address.
Internet IP: 68.1.1.23
Port: 10022
Server LAN IP: 10.1.1.23
port: 22
Allowed Internet IPs: 131.1.1.23, 132.1.1.23
I want to allow a set of IPs are to be able to SSH & DROP all other traffic. The question where I got confused is my destination address
Packet from computer on Internet:
Source IP: 131.1.1.23 sourceport:<random>
Destination IP: 68.1.1.23 destinationport: 10022
Packet seen by server behind firewall:
source IP: 68.1.1.23 sourceport: 2522
destinatation IP: 10.1.1.23 destinationport: 22
Q1) Now, how do I write my IPtables ruleset, if the host is not able to see the actual source of the traffic?
Q2) I also want to block any SSH from within 10.0.0.0/subnet as it will be a colo facility & other servers share LAN addresses.
IPTables can do NAT, but here someone else does it for you, so all addresses are inside addresses or real remote Internet addresses.
NAT/PAT generaly hides inside addresses, not Internet remote addresses.
I suppose you could write or configure a NAT/PAT to forward packets to you with the remote address changed to ones of the NAT host, and when packets return to the NAT host, it knows which host-port become what remote host-port. That ensures the NAT/PAT packets route back to the NAT/PAT host, but seems a waste of time. Usually the NAT/PAT packets have the remote Internet client or server host and port, it is the inside addresses that are protected, and it just does not work if your routing sends response packets to a different firewall. Usually inside addresses are either registered Internet ready, unroutable like 10.*.*.* or stolen/made-up. I suppose if you have stolen, you need to ensure the real ones are serviced and not a threat!
1 Like