?
Solved

Port Forwarding on IPTABLES

Posted on 2005-04-18
7
Medium Priority
?
1,264 Views
Last Modified: 2012-05-05
Hi,
   I have a linux router setup and I want to forward all requests on 3389 (terminal server) to an internal IP address.  

This is what i have so far, but it doesn't work, I get the "Client cound not connect to the remote computer" when I try.  
******************************************************************************

$IPTABLES -A INPUT -i $EXTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIF --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT


******************************************************************************
$EXTIF = External Interface
$INTIF = Internal Interface (192.168.0.1)
Target computer for Terminal Server = 192.168.0.194

Can someone please tell me what I need to do to get this working?  

0
Comment
Question by:gcmachel
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:S0lar
ID: 13813480
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIF --dport 3389 -j DNAT --to-destination 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -d 192.168.0.194 --dport 3389 -j ACCEPT

0
 
LVL 6

Expert Comment

by:S0lar
ID: 13813489
little fix:
line no.3 should read
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 3389 -j DNAT --to-destination 192.168.0.194:3389

Note $EXTIP - set this variable to the ip address assigned to the external interface.
0
 
LVL 4

Author Comment

by:gcmachel
ID: 13825319
I tried what you said and couldn't get it to work.  I also tried a few things from some other people's suggestions.  Here is what I currently have:  

I tried this with and without the INPUT and OUTPUT chains.  Do I need to foward from $EXTIF to $INTIF and then to 192.168.0.194?  

Any ideas?

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF  --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -s 192.168.0.194 -m state --state ESTABLISHED,RELATED -j ACCEPT
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Author Comment

by:gcmachel
ID: 13831460
Thanks for all your help everyone, but I'm still not getting this.   I worked on it all night.  Here are my updates:  
****************************************************************************
Rules:

$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.194 --sport 3389 -j SNAT --to-source $EXTIP:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT --to 192.168.0.194:3389
****************************************************************************
[root@tankjr]# iptables -t nat -nv -L

Chain PREROUTING (policy ACCEPT 11575 packets, 9600K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.0.194:3389

Chain POSTROUTING (policy ACCEPT 35 packets, 2091 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      *       192.168.0.194        0.0.0.0/0           tcp spt:3389 to:24.23.4.208:3389
    5   352 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           to:24.23.4.208

Chain OUTPUT (policy ACCEPT 60 packets, 4287 bytes)
 pkts bytes target     prot opt in     out     source               destination

****************************************************************************
[root@tankjr]# iptables -nv -L

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  214 16757 ACCEPT     all  --  eth1   *       192.168.0.0/24       0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            24.23.4.208         state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            24.23.4.208         state NEW,RELATED,ESTABLISHED tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389
    9  2680 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.194       tcp dpt:3389
   95 96905 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   82  6813 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 6 packets, 1548 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    24.23.4.208          192.168.0.0/24
  193 33256 ACCEPT     all  --  *      eth1    192.168.0.0/24       192.168.0.0/24
    0     0 ACCEPT     all  --  *      eth0    24.23.4.208          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:3389
    0     0 ACCEPT     tcp  --  *      eth1    192.168.0.0/24       255.255.255.255     tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth1    192.168.0.0/24       255.255.255.255     udp spt:67 dpt:68
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain drop-and-log-it (3 references)
 pkts bytes target     prot opt in     out     source               destination
    9  2680 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6
    9  2680 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable


I am about to give up on this ditch my linux router and submit to Cisco, very frustrated.  I do appreaciate everyone trying to help though ... Thanks!  
0
 
LVL 6

Expert Comment

by:S0lar
ID: 13831511
remove this rule
$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.194 --sport 3389 -j SNAT --to-source $EXTIP:3389
0
 
LVL 6

Accepted Solution

by:
S0lar earned 2000 total points
ID: 13831517
other rules are ok. seems it should work.
0
 
LVL 4

Author Comment

by:gcmachel
ID: 13831642
I've had enough of this and I'm throwing in the towel.  I need to hit the books and learn IPTables better before I loose anymore sleep over this.  Thanks for all your help.  
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses
Course of the Month14 days, 15 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question