mjhjmtu

I am having a firewall with the IP of 10.0.0.2/24 which is the default gateway as well. I need to allow external networks to be able to SSH to the Server which its IP is 10.0.0.1/24. I have to use iptables and I need to set the permissions on the firewall. Can you please help me out?

You will need to ensure two rules exist on the firewall, assuming everything else is in place:

1. Forwarding rules: traffic must be allowed to be forwarded to 10.0.0.1 port 22 from the outside.


2. NAT rules: since you are working with an RFC 1918 private IPv4 network, you will need to change the destination address of packets that arrive at the firewall destined for port 22.

Again, I'm assuming that your firewall is set up to masquerade WAN-bound traffic, has IPv4 forwarding enabled, and will allow the return traffic to be forwarded.

To address the first part to ensure forwarding is allowed:

iptables -I FORWARD -d 10.0.0.1 --p TCP --dport 22 -j ACCEPT

This rule may be unnecessary if your FORWARD chain defaults to ACCEPT (usually the default).

Second, to perform destination address translation:

iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT --to 10.0.0.1

In both examples, I've used -I to ensure the rules are inserted first in their respective chains; taking precedence over any existing rules. This may or may not be desirable.

You can make the rules more specific by adding interface names, but you did not specify any in the question.

Also note that these rules are not persistent; a system reboot will make them disappear.

By using the permissions below I was able to ssh externally to an internal network.

# nano /etc/sysctl.conf

net.ipv4.ip_forward = 1

# route add -net 10.0.0.0/24 dev ens33
# iptables -t nat -A POSTROUTING ! -d 10.0.0.0/24 -o ens33 -j SNAT --to-source 192.168.1.200
# iptables -A PREROUTING -t nat -i ens38 -p tcp --dport 22 -j DNAT --to 10.0.0.1
# iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 22 -j ACCEPT