Adding listening ports

Adding listening ports

[Richard Plana]

Hi,

Because of (overly?) strict security policies at our company, one can 
only make TCP connections to ports 80 and 443. I was wondering if 
netfilter could be used to redirect packets destined for port 443 to the 
listening sshd daemon on port 22 on an external machine.

I tried "iptables -I RH-Lokkit-0-50-INPUT 5 -p tcp -m tcp --dport 443  
--syn -j ACCEPT" (I'm using RedHat's default config) and "iptables -t 
nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 
127.0.0.1:22" to do the actual routing, but that didn't seem to work:

$ ssh -p 443 localhost
ssh: connect to host localhost port 443: Connection refused

Suggestions would be appreciated.
-- 


*Richard Neal Plana, B.Sc., CCNA*
Lead Software Engineer
Zi Corp.

RE: Adding listening ports

[Daniel Chemko]

The DNAT operation happens firstly so the INPUT rule needs to refer to
port 22 since the address/port mangle has already occurred.

Secondly, instead of DNAT, you could have used the redirect jump
instead.

-----Original Message-----
From: Richard Plana [mailto:rplana@zicorp.com] 
Sent: Tuesday, July 29, 2003 12:07 PM
To: netfilter@lists.netfilter.org
Subject: Adding listening ports

Hi,

Because of (overly?) strict security policies at our company, one can 
only make TCP connections to ports 80 and 443. I was wondering if 
netfilter could be used to redirect packets destined for port 443 to the

listening sshd daemon on port 22 on an external machine.

I tried "iptables -I RH-Lokkit-0-50-INPUT 5 -p tcp -m tcp --dport 443  
--syn -j ACCEPT" (I'm using RedHat's default config) and "iptables -t 
nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 
127.0.0.1:22" to do the actual routing, but that didn't seem to work:

$ ssh -p 443 localhost
ssh: connect to host localhost port 443: Connection refused

Suggestions would be appreciated.
-- 


*Richard Neal Plana, B.Sc., CCNA*
Lead Software Engineer
Zi Corp.

RE: Adding listening ports

[Sebastian]

Hello...

You can also add "Port 443" to /etc/ssh/sshd_config or whatever your ssh
config file is.

Greets
Sebastian.


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Richard Plana
> Sent: Tuesday, July 29, 2003 9:07 PM
> To: netfilter@lists.netfilter.org
> Subject: Adding listening ports
> 
> 
> Hi,
> 
> Because of (overly?) strict security policies at our company, one can 
> only make TCP connections to ports 80 and 443. I was wondering if 
> netfilter could be used to redirect packets destined for port 
> 443 to the 
> listening sshd daemon on port 22 on an external machine.
> 
> I tried "iptables -I RH-Lokkit-0-50-INPUT 5 -p tcp -m tcp 
> --dport 443  
> --syn -j ACCEPT" (I'm using RedHat's default config) and "iptables -t 
> nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 
> 127.0.0.1:22" to do the actual routing, but that didn't seem to work:
> 
> $ ssh -p 443 localhost
> ssh: connect to host localhost port 443: Connection refused
> 
> Suggestions would be appreciated.
> -- 
> 
> 
> *Richard Neal Plana, B.Sc., CCNA*
> Lead Software Engineer
> Zi Corp.
> 
> 
>