iptables port forwarding

Linux and Unix-Like Red Hat
1

Hello All,
I would like to ask you very kindly with /etc/sysconfig/iptables file

I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated.

My boss require that there will not be any possibility of connection from private network to any remote network behind RHEL6 router

I am not able to DROP any traffic coming from private network.

I did setup port forwarding on router from public network to private network easily but I am not able to force router to drop any traffic coming from private network outside unless I break port forwarding.

here is example of my /etc/sysconfig/iptables file. Please help with line which would drop all outgoing traffic from private network but keep port forwarding working.

cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
-A INPUT -p all -j DROP
#
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 192.168.0.3:22
COMMIT

BTW: (ssh on router is running on port 2222)

2

Without dwelling into configuration...

If you allow access from outside network to private network via ssh protocol, there is little you can do to stop tunneling around.

This might sound strange but have you considered not giving ssh access ?
Think about what your are doing and can it be done on a higher layer (HTTPS, FTPS) to expose one port and application behind, not ssh and shell.

Regards
Peasant.

3

Hello Peasant,

Thank you very much for your answer.

I have no room for thinking what I am doing. This is direct order from my manager which I have to deliver. There is no room to ask questions etc.

I would like to ask you very kindly for a line which I can stick to /etc/sysconfig/iptables file so port forwarding will keep working but servers in private network will not be able to reach any other network.

Concerns with ssh tunneling etc is not my concern - I have to deliver only this isolated task.

Please help.
Thanks.