Firewall Wizards mailing list archives
RE: iptables problem forwarding
From: "Josh Welch" <jwelch () buffalowildwings com>
Date: Mon, 31 Mar 2003 17:23:20 -0600
i have built an iptables firewall that i am mostly happy with. the main problem that still exists is the firewall will not allow connections i do want to permit. 1. i want to allow ssh 2. want to forward port 3389 to an internal machine.
<snip>
# setting up modules we neet to support NAT and add protocols with unordinary behavior modprobe iptable_nat modprobe ip_conntrack_ftp ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_irc ip_nat_irc #make sure packet forwarding enabled by kernel echo 1 > /proc/sys/net/ipv4/ip_forward #flushing existing tables iptables --flush iptables -t nat --flush #enable connection tracking iptables -I FORWARD -m state --state INVALID -j DROP iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #allowing one service on this machine ssh iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #enable loopback iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # accept established connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow inbound service iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.0.4 --destination-port 3389 -j ACCEPT
This confuses me right here. Is 192.168.0.4 the actual IP machines are requesting? Or is there a public IP that you want forwarded to that address if they are trying to hit 3389? I'm kind of guessing the second one by the content of you message. If that is the case I think you would need to have something like this: iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d YOUR.PUBLIC.I.P --destination-port 3389 -j ACCEPT And then something like this in your NAT section: -A PREROUTING -i eth0 -p tcp -m tcp -d YOUR.PUBLIC.I.P --dport 3389 -j DNAT --to-destination 192.168.0.4:443 If I am making an incorrect assumption, you can feel free to tell me to blow it out my arse :) Josh <snip> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: iptables problem forwarding Josh Welch (Apr 01)
- <Possible follow-ups>
- Re: iptables problem forwarding Marco Thorbruegge (Apr 01)
- Re: iptables problem forwarding Luca Berra (Apr 01)