Andrew Worsley <amworsley@gmail.com> wrote:
iptables -t nat -I PREROUTING -p tcp --dport X -j DNAT :22 iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT :X
where X is the new external "ssh" external port. That way external ssh traffic is sent to port 22 internal and external port 22 traffic is sent to the other port X which can be dropped.
It seems a bit clunky (I was worried that it might lead to a loop initially) - is there a better way to do this?
An alternative would be to run two instances of sshd, bind one to the internal interface and the other to the external interface. This would involve changing startup scripts and having separate configurations - more administrative work and not necessarily a superior solution to your iptables approach.
Also is there a better site to external scan your machine than the "Shields Up" site? I've heard people complain about it - presumably it's marketing but it does appear to do a convenient job for quickly scanning your ports for free.
If you have access to an external Linux host with nmap installed, you can run it against your own machine.