I want to be able to SSH remotely into a MT (SSH Service, enabled), AND dst-nat to a remote server inside a DMZ…
Let’s say, a.a.a.a/b dst-nat to a.b.c.d, and 0.0.0.0/0 (or the rest) connect to SSH on MT…
When the IP Service is enabled (ala SSH), the packets never make it to the dst-nat rules in the firewall…
Is this possible currently? We can’t assign a access-list to the IP Services, so I can’t limit what connections the IP Service should / should not accept… ?
all that goes to a.a.a.a/b in input chain is accepted, and after that all packets that goes to router input chain beeing forwarded to forward chain and maybe then they will get to that nat rule, but i doubt.
if you have time you can try, otherways this is imposible, just set ssh port to 23 or something.
Cant connect to a different port, as my place of work limits the outbound ports that you can connect to… Only 22 can go out without passing through ‘some’ proxy… So yeah
Doubt it’s possible as well Just thought I’d ask, perhaps someone had some bright idea of sorts…
How about this. Block incoming (input chain) port 22 from the IP a.a.a.a/b, followed by an allow for 0.0.0.0/0 to port 22, then add a dst-nat rule with src-address=a.a.a.a/b src-port=22 dst-nat=a.b.c.d dst-port=22? Seems like it would work this way?
Just thought I’d ask, perhaps someone had some bright idea of sorts…