We are using a cloud server (Debian Squeeze) where public ports on a public IP route traffic to internal servers. We are looking for a way to use IPTables and ssh where based on some part of the ssh connection string (or something along these lines) iptables will reroute the ssh connection to the "right" internal server. This would allow us to use one common public port, and then re-route ssh connections to individual servers.

So, for example we hope to do something like the following:

• user issues ssh connection (public key encryption) such as ssh -X -v -p xxx [email protected] but maybe adds something into the string for iptables to use

• iptables uses some part of that string or some means to re-route the connection to an internal server using something like

  iptables -t nat -A PREROUTING ! -s xxx.xxx.xxx.0/24 -m tcp -p tcp --dport $EXTPORT -j DNAT --to-destination $HOST:$INTPORT
  

  ....where $HOST is the internal ip of a server, $EXTPORT is the common public facing port and $INTPORT is the internal server port.

It appears that the "string" aspect of iptables does not do what we want.

We can currently route based on the IP table syntax we're using, but rely on having a separate public port for each server and are hoping to use one common public port and then re-route to specific internal servers based on some part of the ssh connection string or some other means.

Any suggestions? Thanks!