In a larger firewall the following two lines allow me to connect from the internet to an SSH server running on the LAN host 172.27.255.4 and listening on ports 1046 and 22:
iptables -t nat -A PREROUTING -i ppp0 -p tcp -d aaa.bbb.ccc.ddd --dport 1046 -j DNAT --to-destination 172.27.255.4:1046
iptables -t filter -A FORWARD -p tcp -i ppp0 -d 172.27.255.4 --dport 1046 -j ACCEPT
The address aaa.bbb.ccc.ddd is the IPV4 public address of the firewall. This is working fine using port 1046 to connect to the SSH server.
What I would like to do now is stop the SSH server from listening on port 1046 but still use port 1046 when connecting from the internet. Simply changing the first line of the above code from
iptables -t nat -A PREROUTING -i ppp0 -p tcp -d aaa.bbb.ccc.ddd --dport 1046 -j DNAT --to-destination 172.27.255.4:1046
to
iptables -t nat -A PREROUTING -i ppp0 -p tcp -d aaa.bbb.ccc.ddd --dport 1046 -j DNAT --to-destination 172.27.255.4:22
dose not work.
What am I missing here?
This does the job:
iptables -t nat -A PREROUTING -d aaa.bbb.ccc.ddd -p tcp --dport 1046 -j DNAT --to-destination 172.27.255.4:22
iptables -t filter -A FORWARD -p tcp -d 172.27.255.4 --dport 22 -j ACCEPT
The first rule changes the the packets destination before it gets routed. The second rule routes (in this case forwards) the packet having the new, desired destination.