I have a very basic "allow ssh" firewall rule and dnat. When I remove a tcp wrapper / hosts.allow restriction on the host everything works fine. I can ssh to the host from the Internet. However, I ultimately want that tcp wrapper / hosts.allow definition in place but it needs to be a fixed ip address. I was hoping to use the router address 192.168.1.1 but my basic DNAT definition is forwarding the SOURCE address (see log snippets below).
Is there a way to do this on the ERX v1.9? I'm pretty sure I've seen it on a Netscaler. I don't know the technical term for this but I'm thinking of something like a reverse masquerade. :-/
Nov 5 10:31:18 ubnt kernel: [NAT-1-DNAT] IN=eth0 OUT= MAC=80:2a:xx:5d:cb:b5:xx:22:bd:xx:e4:44:08:00 src=72.72.72.72 DST=75.75.75.75 LEN=64 TOS=0x00 PREC=0x00 TTL=53 ID=2486 DF PROTO=TCP SPT=58383 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 5 10:31:18 ubnt kernel: [WAN_IN-21-A]IN=eth0 OUT=switch0 MAC=80:2a:xx:5d:cb:b5:xx:22:bd:xx:e4:44:08:00 src=72.72.72.72 DST=192.168.1.5 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=2486 DF PROTO=TCP SPT=58383 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 5 02:30:56 192.168.1.5 sshd[1130]: refused connect from 72.72.72.72