# (iptables)Redirecting an external port on a router to itself

## luringen

I have a router using iptables, which i can configure permanently with persistent scripts, thing is, on the router configuration page i can only enable ssh access from wan, but i cannot set a different port for ssh on the wan interface.

In the iptables flowchart (ftp://ftp.shorewall.net/pub/shorewall/misc/netfilterflow.pdf), it says that packets goes through the PREROUTING chain before it reaches the INPUT chain. Therefore doing:

```
iptables -t nat -I PREROUTING -i $wan -p tcp --dport 2222 -j REDIRECT --to-port 22
```

 will just redirect them to port 22 before they reaches the input chain.

Then i would have to allow port 22 in the input chain from wan, and I'm back to square one.

So the problem is how can i allow traffic which has been redirected in the prerouting chain and only that traffic to be allowed to port 22?

Thanks in advance.

----------

## Hu

Have you looked at using the conntrack module match option --ctorigdstport?

----------

## luringen

```
admin@RT-N66U-7040:/tmp/home/root# iptables -I INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctorigdstport XXXXX -j ACCEPT

iptables v1.3.8: Unknown arg `--ctorigdstport'

Try `iptables -h' or 'iptables --help' for more information.

admin@RT-N66U-7040:/tmp/home/root# uname -a

Linux RT-N66U-7040 2.6.22.19 #1 Sun Sep 14 17:57:35 EDT 2014 mips GNU/Linux

admin@RT-N66U-7040:/tmp/home/root#
```

is it possible these are too old versions for it?

----------

## Hu

It is possible.  That is a very old system.  It will likely be very difficult to upgrade to current.  Is it even Gentoo based?

----------

## luringen

It is not. Its Asuswrt-merlin, which is a modification of the original asuswrt firmware which is installed on asus routers by default, but it is open source.

----------

