?
Solved

IP forwarding using iptables

Posted on 2006-04-09
3
Medium Priority
?
274 Views
Last Modified: 2010-03-18
I am trying to find out how to use my Linux server as a proxy for VNC (or any app really) for the many workstations I have on my network.

My network is set up like this:

Internet
   |- ADSL_Router
      |- Linux
      |- Workstation A
      |- Workstation B
      |-   etc. etc....

I have only one NIC on my Linux server.

I can configure all the forwarding with my ADSL router, but this is a pain in the backside and means I have to use static/reserved IP addresses, which isn't ideal for me.

I run a script every 5 mins which updates my hosts file with all the NetBIOS names, so I can address machines by name.

I've looked hard at iptables, but it's so damn confusing I'm really stuck for ideas.

In plain English, what I want to be able to do is:

1.
Forward a range of ports from my ADSL router, to my Linux box (I can do this).

2.
For one port in this range on the Linux box, forward the packet to a different port on a specific workstation.  And another port to another specific workstation etc.

Any help would be greatly appreciated.

Many thanks,
Steve :)
0
Comment
Question by:sda100
3 Comments
 
LVL 2

Assisted Solution

by:guruyaya
guruyaya earned 248 total points
ID: 16416853
iptables -t nat -A PREROTUNG -p tcp --dport (the port you want to forward) -j DNAT --to-destination (the other machine) --to-dport (the other machine`s port)

That`s what you need to write. Now let us see what we are doing here

iptables (I`m sure you got why this is here)
-t nat - That`s the table with all the rules that has anything to do with nat.
-A - add a rule to a chain called...
PREROUTING - That chain makes manipulation before routing the packet. Well, as you figured, you need to do that before the packet is decided where it`s going. That`s the place to do it
--dport - the destnation port of this packet
-j - that is, jump to this action
DNAT - Chenge the destination of this packet
--to-destanation - well, what can i say about that?
--to-dport - or about that?
0
 
LVL 16

Accepted Solution

by:
Blaz earned 252 total points
ID: 16416950
you have to have IP forwarding enabled (echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -A FORWARD -j ACCEPT)


To enable port forwarding from <linux_server_IP>:<port_to_redirect> to <workstation_IP>:<workstation_port> you need to add two rules to iptables:

iptables -A PREROUTING -d <linux_server_IP> -p tcp --dport <port_to_redirect> -j DNAT --to-destination <workstation_IP>:<workstation_port>
iptables -A POSTROUTING -d <workstation_IP> -p tcp --dport <workstation_port> -j SNAT --to-source <linux_server_IP>

the secon rule is important to ensure proper reverse routing and deNATing of packets.
0
 
LVL 9

Author Comment

by:sda100
ID: 16432368
Thank you guruyaya and Blaz.

I used the information you gave me, but both instructions needed tweaking to get them to work.  What you gave me saved me loads of learning time - very explanatory.  For the record, here is my exact solution (192.168.0.199 is my adsl router):

iptables -A PREROUTING -t nat -p tcp --dport 8901 -j DNAT --to-destination 192.168.0.200 --to-ports 5900

iptables -A POSTROUTING -t nat -p tcp -d 192.168.0.200 --dport 5900 -j SNAT --to-source 192.168.0.199

Thank you once again,
Steve :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month15 days, 2 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question