[Firewall] Help: setting up port-forwarding

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Nov 7 00:32:42 MST 2007

Setting NAT_TCP_FORWARD="2201>" and leaving port 22 out of 
OPEN_TCP, *should* work. As I already said, you never need to open 
additional ports for port forwards, as these packets are processed in 
the PREROUTING chain. I'm currently having vacation but as soon as I get 
back at the university (next monday) I will try your configuration. 
Maybe, just maybe, a bug is creeping around somewhere....

You don't see any (strange) packet drop or other messages in your 
firewall/kernel log?


Philip Prindeville wrote:
> Well, I'm still not getting it.  If I have:
> and is my local (internal) address, then how do I accept 
> connections on my public side on 2201, but not on my public side on 22?  
> (And of course, accept connections on my private side on 22...)
> Or isn't that something I can do?
> Do I need to run to instances of "sshd" instead, and have each one 
> specifically bind to an interface and port?
> I was hoping to avoid that.
> -Philip
> Arno van Amersfoort wrote:
>> You never need to specify an additional OPEN_xxx for a port forward is 
>> this the forwarding is performed in the prerouting chain. So in this 
>> case OPEN_TCP="22" is useless....
>> a.
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list