Fork me on GitHub

Don't know why I need this in past, but this trick allow to use ssh (for example) from any interface looking to internet on non standard port 2211 (for example) to prevent unwanted bruteforce. Salt in this: no special options and access from any other vlans/tunnels on default port 22.

vlan2 - 5.1.1.100
vlan100 - 10.10.0.1
iptables -t filter -A INPUT -i vlan2 -d 10.10.0.1/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate DNAT -j ACCEPT
iptables -t filter -A INPUT -i vlan2 -p tcp -m tcp -m multiport --dports 22 -j DROP
iptables -t nat -A PREROUTING -i vlan2 -d 5.1.1.100/32 -p tcp -m tcp --dport 2211 -j DNAT --to-destination 10.10.0.1:22