Firewall multiple NAT ports

  • I've got a ssh server running on a lan. port 8090 if forwarded to port 22 so outside clients can connect. I've run into a client that connects from behind a very restrictive firewall that won't allow connections to port 8022 but does allow connections to port 22.

    I want to allow only that client IP to connect to port 22.

    The problem with this situation is that if I make a NAT forward (without associated rule) for port 22 > port 22, the whole internet is allowed to connect to port 22 because the associated rule for the 8022 > 22 NAT rule accepts all connections to lan_ip:22

    It seems like NAT is applied before the firewall kicks in, isn't this a problem many people would run in to?

    (I've already worked around it by making the SSH server listen to 8022 and 22 while making 2 NAT forwards for 8022 > 8022 and 22 > 22. But that's not the point.)

Log in to reply