Ssh – How to route all traffic from a specific port to a specific network interface

ipiptablesroutessh

I have the following setup:

A computer with two network cards connected to two different routers. The first router redirects all outside traffic coming on port 5122 to port 22. So that I can connect to the machine using ssh.

I wish to use the first router only for ssh connections. Nothing else. So I want all other traffic directed through the second router.

How can I do that?

Best Answer

Like this:

1. Mark packets

Set a mark on each packet which is heading for port 5122.

iptables -A PREROUTING -t mangle -p tcp --dport 5122 \
  -j MARK --set-mark 1

Alternatively like this if you want to limit it to packets with a destination ip of 10.10.10.10:

iptables -A PREROUTING -t mangle -p tcp -d 10.10.10.10/32 --dport 5122 \
  -j MARK --set-mark 1

2. Create routing table/rule

Create routing table with a rule for it to be used for the marked packets.

echo 201 ssh5122.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table ssh5122.out

3. Add the route

Add the route corresponding to the routing table.

ip route add default via $ssh_router_ip dev $ssh_router_interface \
  dev table ssh5122.out

That should work.

Related Solutions

Iptables – Forwarding Port to SSH on Different Network Machine

The rule for the FORWARD chain needs to use the target port, because it is executed after the prerouting chain, i.e. after the DNAT has been done.

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

A good overview diagram of how the various tables and chains are linked together is here: http://www.csie.ntu.edu.tw/~b92035/cnl/hw1/Iptables.gif

Ssh – iptables with DNAT and multiple gateways: How to route replies to correct gateway

I found a solution in the accepted answer to the question "Route return traffic to correct gateway depending on service".

I've implemented these rules on my Linux client:

# Default route is second gateway:
ip route add default via 10.0.0.2

# Create a routing table "FIXED" using our fixed IP gateway
echo "200 FIXED" >>/etc/iproute2/rt_tables
ip route add default table FIXED via 10.0.0.1

# Create a rule to route any packets marked "42" through FIXED:
ip rule add fwmark 42 table FIXED

# Finally, the iptables rule:
# Any outgoing traffic from source port 22 of my Linux client
# that has a destination inside our private network (10.0.0.0/24)
# is marked "42" (and therefore goes to FIXED):
iptables -t mangle -A OUTPUT ! -d 10.0.0.0/24 \
                             -p tcp -m tcp --sport 22 \
                             -j MARK --set-mark 42

Best Answer

Related Solutions

Iptables – Forwarding Port to SSH on Different Network Machine

Ssh – iptables with DNAT and multiple gateways: How to route replies to correct gateway

Related Topic