[PLUG] IPtables internal port forwarding

Tim tim-pdxlug at sentinelchicken.org
Wed May 6 22:22:08 UTC 2009 

On Wed, May 06, 2009 at 03:03:00PM -0700, Joe Pruett wrote:
> >>  If I have a client connecting to port 22 on my server, say from 10.18.18.4
> >>  can I use IPtables to sent that connection to Port 8022 on the same box?
> >>
> >>  At the same time I would want traffic from 10.18.19.4 to arrive on port 22
> >>  and be forwarded passed through to port 22.
> >
> > Something like:
> >
> > # iptables -t nat -A PREROUTING -p tcp -s $EVIL_IP -d $SERVER_EXTERNAL_IP --dport 22 -j DNAT --to-destination $SERVER_EXTERNAL_IP:8022
> >
> > might do the trick.  That'll redirect just evil connections to 8022
> > and won't touch stuff from other IPs Of course this stuff may not
> > scale well if you have thousands of "evil" IPs.  If instead, you want
> > to white list "good" IPs and assume all others are "evil", that would
> > probably be easier to maintain and would scale better. I'm sure you
> > can work out the syntax of that after a quick `man iptables'.
> 
> i think the original poster wanted to magically create rules that would 
> take port x and map to x+8000 based on incoming addresses.  he wanted to 
> avoid creating thousands of rules.  to that, i don't think there is going 
> to be an easy solution, so programatically creating the rules as needed, 
> and i don't know if iptables will have limits on the number of rules.

Sure, I kinda expected that, but it's not hard to go from the above
line to something like:

cat evil_ips.txt | while read EVIL_IP; do
  iptables -t nat -A PREROUTING -p tcp -s $EVIL_IP -d $SERVER_EXTERNAL_IP --dport 22 -j DNAT --to-destination $SERVER_EXTERNAL_IP:8022
done

As for scaling with lots of rules, I think it somewhat depends on how
you write your chains.  If you break up the conditionals for your rule
such that all of your evil IP addresses are isolated on one chain and
the only time you jump to that chain is when you already know it's
port 22 traffic and any other conditionals, then I think it can scale
pretty well.  BTW, there are published benchmarks comparing iptables
with pf and other firewalls when examine how they scale with lots and
lots of rules.

Of course this kind of blacklisting is just playing whack-a-mole and
may be ill-advised.  If you're worried about password brute force
attacks, then require users to use public keys in your sshd_config
and be done with it.

cheers,
tim

More information about the PLUG mailing list