I spent a bit of time trying to get DNAT to work to an internal host, until I remembered about the syntax of the /etc/sshd_config file. So, instead of creating a new service on some arbitrary port, creating a rule to DNAT that bogus port to my SSH host on port 22, I just edit this file.
Basically, if you want to ssh into your internal interface, but no others, then this will work. Just edit the "ListenAddress" field within this file to match the IP on your internal interface. This causes SSHD to only respond to connection attempts on that IP address. So, now you can create a DNAT rule from External Interface TCP 22 -> Internal SSH Host TCP 22. You still need to have a packet filter rule to permit this same traffic.
In theory, this might make the SSHD process on the Astaro box more secure as it won't even listen to any other interfaces. That's not to say that you couldn't still create another set of rules to DNAT into that inside interface on the Astaro box, for external administration of Astaro. As always, don't forget the interfaces dialog under System...Settings as this will create the automatic packet filter rules.
Finally, I haven't tested that this configuration remains after an Up2Date, as my Astaro box is already current. There is always the possibility that the Developers could rewrite this file with any necessary Up2Dates.
Thanks to the developers for such a great product!!!
This thread was automatically locked due to age.
