I have router/server that I would like to ssh to from the net. In order to discourage brute force attacks I would like to redirect all connections on a non-standard port to port 22 on the router/server. If notice that setting up a rule REDIRECT net 22 tcp 4104 causes the firewall to open both ports 4104 and 22 to connections from the net. Is it possible to only redirect 4104 to the localhost port 22 and have connection attempts to port 22 from the net dropped? Useful? Information: #uname -a Linux Alfalfa 2.6.8-2005.04.04 #1 Mon Apr 4 22:50:45 CDT 2005 i686 GNU/Linux #shorewall version 2.2.2 #iptables -V iptables v1.2.11 /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROP $LOG # THE FOLLOWING POLICY MUST BE LAST all all REJECT $LOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT DEST LIMIT GROUP # DNS ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 REJECT loc net tcp 53 REJECT loc net udp 53 # # SSH ACCEPT loc fw tcp 22 REDIRECT net 22 tcp 4104 # # FTP ACCEPT loc fw tcp 21 REDIRECT net 21 tcp 4105 # # Ping ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp ACCEPT fw net icmp # # Samba ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024: 137 REJECT loc net udp 137:139 REJECT loc net tcp 137,139,445 REJECT loc net udp 1024: 137 # # NTP ACCEPT fw net udp 123 ACCEPT loc fw udp 123 REJECT loc net udp 123 # # Apt(HTTP & FTP) ACCEPT fw net tcp 80 ACCEPT fw net tcp 21 # # Emule DNAT net loc:192.168.111.2:4662 tcp 4662 DNAT net loc:192.168.111.2:4672 udp 4672 # # Bittorrent ACCEPT fw net tcp 6881:6889 ACCEPT fw net tcp 46881:46889 ACCEPT fw net tcp 6969 ACCEPT fw net tcp 3389 ACCEPT fw net tcp 6666 ACCEPT fw net tcp 90 ACCEPT net fw tcp 6881:6889 ACCEPT net fw tcp 46881:46889 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
colin ingram wrote:>I have router/server that I would like to ssh to from the net. In >order to discourage brute force attacks I would like to redirect all >connections on a non-standard port to port 22 on the router/server. >If notice that setting up a rule > >REDIRECT net 22 tcp 4104 > >causes the firewall to open both ports 4104 and 22 to connections from >the net. Is it possible to only redirect 4104 to the localhost port >22 and have connection attempts to port 22 from the net dropped? > >Don''t know how to make it possible with redirection. One way to achive this would be to change the sshd_config to so that sshd listens for connections on port 4104. Then you could change the rule to ACCEPT net fw tcp 4104 Of course you would have to use this port also from local connections. Peter -- _______________________________ Dr. Hagen&Partner GmbH Am Weichselgarten 7 91058 Erlangen Tel: (0049)9131/691-330 Fax: (0049)9131/691-248 _______________________________
DNAT net fw:192.168.1.1:22 tcp 4104 in /etc/shorewall/rules From the net, you will have 4104 listening, from your LAN, port 22. On Sunday 24 April 2005 02:45, Peter Eis wrote:> colin ingram wrote: > >I have router/server that I would like to ssh to from the net. In > >order to discourage brute force attacks I would like to redirect all > >connections on a non-standard port to port 22 on the router/server. > >If notice that setting up a rule > > > >REDIRECT net 22 tcp 4104 > > > >causes the firewall to open both ports 4104 and 22 to connections from > >the net. Is it possible to only redirect 4104 to the localhost port > >22 and have connection attempts to port 22 from the net dropped? > > Don''t know how to make it possible with redirection. > One way to achive this would be to change the sshd_config to so that > sshd listens for connections on port 4104. > Then you could change the rule to > ACCEPT net fw tcp 4104 > > Of course you would have to use this port also from local connections. > > Peter
colin ingram wrote:> I have router/server that I would like to ssh to from the net. In > order to discourage brute force attacks I would like to redirect all > connections on a non-standard port to port 22 on the router/server. > If notice that setting up a rule > > REDIRECT net 22 tcp 4104 > > causes the firewall to open both ports 4104 and 22 to connections from > the net. Is it possible to only redirect 4104 to the localhost port > 22 and have connection attempts to port 22 from the net dropped? > >Not using standard Shorewall features. You would have to insert your own DROP rule into the NAT table''s PREROUTING chain (or better, one of the chains that Shorewall creates and jump to from PREROUTING) from /etc/shorewall/start. Example: run_iptables -t nat -A net_dnat -p tcp --dport 22 -j DROP This causes all connections from the net on tcp port 22 to be silently dropped. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
ryan wrote:> DNAT net fw:192.168.1.1:22 tcp 4104 > in /etc/shorewall/rules > > From the net, you will have 4104 listening, from your LAN, port 22.That also works -- assuming that 192.168.1.1 is the IP address of the internal firewall interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
ryan wrote:> DNAT net fw:192.168.1.1:22 tcp 4104 > in /etc/shorewall/rules > > From the net, you will have 4104 listening, from your LAN, port 22. >I''ve added Peter''s question and Ryan''s response as Shorewall FAQ 1e. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 4/24/05, Tom Eastep <teastep@shorewall.net> wrote:> ryan wrote: > > DNAT net fw:192.168.1.1:22 tcp 4104 > > in /etc/shorewall/rules > > > > From the net, you will have 4104 listening, from your LAN, port 22. > > >I was able to get this working using Ryan''s solution. Thanks Tom, Peter, and Ryan for all your help. Colin