1 |
Hi Steve, |
2 |
|
3 |
> A question that I've recently been mulling is how I can retain this |
4 |
> invaluable capability to accept remote SSH connections on |
5 |
> port 443 - but |
6 |
> also run a standard HTTPS website without needing another public IP |
7 |
> address. I fiddled with netcat and discovered that the two protocols |
8 |
> (SSH and HTTPS) behave quite differently in spite of both being |
9 |
> |
10 |
> +-------+ +-----+---443-->[apache] |
11 |
> O---443-->|NAT-BOX|--1443-->| ? | |
12 |
> +-------+ +-----+---22--->[sshd] |
13 |
> |
14 |
|
15 |
Maybe the 'Layer-7 Filter' [1] extension for netfilter/iptables can do the |
16 |
recognition of the service (ssh/https) for you. Only from theory then just |
17 |
two destination NAT (DNAT) rules in the prerouting NAT chain from iptables |
18 |
might do all the work for you. |
19 |
|
20 |
|
21 |
[1] http://l7-filter.sourceforge.net |
22 |
|
23 |
Also there are two examples of patterns that match against the ssh and ssl |
24 |
service can be found here: http://l7-filter.sourceforge.net/protocols |
25 |
|
26 |
Regards, |
27 |
Olaf Niermann |
28 |
|
29 |
-- |
30 |
gentoo-user@g.o mailing list |