Firewall Wizards mailing list archives
Re: iptables problem forwarding
From: Luca Berra <bluca () comedia it>
Date: Tue, 1 Apr 2003 08:23:43 +0200
On Sun, Mar 30, 2003 at 11:38:31AM -0500, Weazy wrote:
hello folks. i have built an iptables firewall that i am mostly happy with. the main problem that still exists is the firewall will not allow connections i do want to permit. 1. i want to allow ssh 2. want to forward port 3389 to an internal machine. i posted by iptables here hoping someone can see the mistake. i have comment each line so you know what i am trying to do. I have the input policy set as drop. i have tried setting that to accept with no change in results. thank you in advance
the topology is not clear which are the ip address of your interfaces? ok i can guess eth0 is a private net and eth1 is an external ip (cable modem or similar) is 192.168.0.4 routed from outside? i guess not. with forward do you mean doing port forwarindg?
#allowing one service on this machine ssh iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
udp 22 ?????
#Allow inbound service iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.4 --destination-port 3389 -j ACCEPT
if you want to do port forwarding to internal machine use: -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.4
iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst 500 --log-prefix "MIRROR: " iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst 500
why on earth might you be doing that?????
iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
ouch, i tought eth1 was the external interface L. -- Luca Berra -- bluca () comedia it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: iptables problem forwarding Josh Welch (Apr 01)
- <Possible follow-ups>
- Re: iptables problem forwarding Marco Thorbruegge (Apr 01)
- Re: iptables problem forwarding Luca Berra (Apr 01)