Port Forwarding on IPTABLES

Hi,
   I have a linux router setup and I want to forward all requests on 3389 (terminal server) to an internal IP address.  

This is what i have so far, but it doesn't work, I get the "Client cound not connect to the remote computer" when I try.  
******************************************************************************

$IPTABLES -A INPUT -i $EXTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIF --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT


******************************************************************************
$EXTIF = External Interface
$INTIF = Internal Interface (192.168.0.1)
Target computer for Terminal Server = 192.168.0.194

Can someone please tell me what I need to do to get this working?  

LVL 4
gcmachelAsked:
Who is Participating?
 
S0larConnect With a Mentor Commented:
other rules are ok. seems it should work.
0
 
S0larCommented:
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIF --dport 3389 -j DNAT --to-destination 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -d 192.168.0.194 --dport 3389 -j ACCEPT

0
 
S0larCommented:
little fix:
line no.3 should read
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 3389 -j DNAT --to-destination 192.168.0.194:3389

Note $EXTIP - set this variable to the ip address assigned to the external interface.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
gcmachelAuthor Commented:
I tried what you said and couldn't get it to work.  I also tried a few things from some other people's suggestions.  Here is what I currently have:  

I tried this with and without the INPUT and OUTPUT chains.  Do I need to foward from $EXTIF to $INTIF and then to 192.168.0.194?  

Any ideas?

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF  --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -s 192.168.0.194 -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
gcmachelAuthor Commented:
Thanks for all your help everyone, but I'm still not getting this.   I worked on it all night.  Here are my updates:  
****************************************************************************
Rules:

$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.194 --sport 3389 -j SNAT --to-source $EXTIP:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT --to 192.168.0.194:3389
****************************************************************************
[root@tankjr]# iptables -t nat -nv -L

Chain PREROUTING (policy ACCEPT 11575 packets, 9600K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.0.194:3389

Chain POSTROUTING (policy ACCEPT 35 packets, 2091 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      *       192.168.0.194        0.0.0.0/0           tcp spt:3389 to:24.23.4.208:3389
    5   352 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           to:24.23.4.208

Chain OUTPUT (policy ACCEPT 60 packets, 4287 bytes)
 pkts bytes target     prot opt in     out     source               destination

****************************************************************************
[root@tankjr]# iptables -nv -L

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  214 16757 ACCEPT     all  --  eth1   *       192.168.0.0/24       0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            24.23.4.208         state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            24.23.4.208         state NEW,RELATED,ESTABLISHED tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389
    9  2680 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.194       tcp dpt:3389
   95 96905 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   82  6813 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 6 packets, 1548 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    24.23.4.208          192.168.0.0/24
  193 33256 ACCEPT     all  --  *      eth1    192.168.0.0/24       192.168.0.0/24
    0     0 ACCEPT     all  --  *      eth0    24.23.4.208          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:3389
    0     0 ACCEPT     tcp  --  *      eth1    192.168.0.0/24       255.255.255.255     tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth1    192.168.0.0/24       255.255.255.255     udp spt:67 dpt:68
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain drop-and-log-it (3 references)
 pkts bytes target     prot opt in     out     source               destination
    9  2680 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6
    9  2680 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable


I am about to give up on this ditch my linux router and submit to Cisco, very frustrated.  I do appreaciate everyone trying to help though ... Thanks!  
0
 
S0larCommented:
remove this rule
$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.194 --sport 3389 -j SNAT --to-source $EXTIP:3389
0
 
gcmachelAuthor Commented:
I've had enough of this and I'm throwing in the towel.  I need to hit the books and learn IPTables better before I loose anymore sleep over this.  Thanks for all your help.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.