I think I understand the difference between dst-nat vs redirect: dst-nat forwards incoming requests to an external location while redirect is a special case for the localhost. Assuming that’s the case, I again believe that if I want to expose a local service from the router on an alternate port the correct method is via redirect.
Please correct me if the above is false. However, from there - what is the method I should use for specifically exposing the router’s ssh service via a non-standard port? The intent is to allow connection via public internet to the non-standard port. My concerns/questions - some of which are probably self-answering:
I assume the first step is a NAT rule, “/ip firewall nat add chain=dstnat action=redirect to-ports=22 protocol=tcp dst-port=2220”
Now what do I need to open in the filter? Port 2220, port 22, or both?
Does this mean the ssh service cannot be IP limited? Sounds stupid as I type it but if nothing else spells out the obvious for the archives…
3a. Is it possible to define a second listener for an internal service - so port 22 has limited IP’s while 2220 is open in the service definition?
Yes, but you also want to limit destination address. This rule you posted would redirect all connections with destination port 2220 (even outgoing ones). It may not seem as big deal, because you’re probably not connecting to this port very often, but it can happen. Simplest way is to add dst-address-type=local.
It’s 22 (where the service is listening), because filter happens after dstnat.
You can limit source in both dstnat and input rules (src-address, src-address-list).
3a) No, but if you choose to limit source in dstnat rule, you’ll have what you need.
That…doesn’t make sense. It may be right - but it still doesn’t make sense.
Isn’t redirect by definition for a local destination only?
If I open port 22 in the filters - then port 22 is open to the internet which is exactly what I don’t want to happen. Hmm…would the better choice be to have the redirect not only specify the port but also either the localhost or internal LAN IP? Then the only opened port to the internet would be the example 2220.
3/3a - I understand the src-address options, and I’ll probably implement that at least on a country level. Thanks.
There are two things, conditions and action. Redirect is action, I’m talking about conditions. Yours are only protocol=tcp and dst-port=2220. So if some device in LAN tries to connect to :2220, will this rule match? The answer is yes, and you don’t want that. If you add dst-address-type=local as another condition, then this won’t match any longer, but connections from internet to :2220 will.
That would be the case if you opened port 22 unconditionally, but you can accept only redirected packets: