We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


IPTables rules - Debian Port Forward for Remote Desktop

tom_szabo asked
Medium Priority
Last Modified: 2012-05-06
I  need an example rule how to forward say a 3386 port to the standard 3389 port on to the local net
I have this rule, but it doesn't seam to work for some reason, is something missing?

-A PREROUTING -d 203.213.x.x -p tcp -m tcp --dport 3386 -j DNAT --to-destination
-A FORWARD -i eth0 -o eth1 -d -p tcp -m tcp --dport 3399 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

I basically want the RDP session coming in from outside on eth0  port 3386 to be relayed onto lan ip with port 3389
-A PREROUTING -d 203.213.x.x -p tcp -m tcp --dport 3386 -j DNAT --to-destination 
-A FORWARD -i eth0 -o eth1 -d -p tcp -m tcp --dport 3399 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Open in new window

Watch Question

Try changing the first line to:

-A PREROUTING -d 203.213.x.x -p tcp -m tcp --dport 3386 -j DNAT --to-destination --to-ports 3389


Thanks for that but doesn't seam to be correct, I get an error message

>Unknown arg '--to-ports'

This is a guide that I gave in the past to clone the traffic of an host to a different one

Baically, it takes advantage of TEE target (which you have to add with a patch on your existing iptables) which copies everything

On source host:
iptables -t mangle -A PREROUTING -p udp dport 9996 -j TEE gateway <IP of HOST B>

On target host:
iptables -t nat -A PREROUTING -p udp -d <IP of HOST A> dport 9996 -j DNAT to-destination <IP of HOST B>:<Port>

Just had a double take of your original two lines.... not sure if it's a direct copy/paste from your script or not, but the dest port on both lines appears to be 3399 instead of 3389.


well, the problem is with the fact that it doesn't like the "..--to-ports 3389".."
It appears to be a syntax issue, I can't even load the "active" definitions
It turns out --to-ports is only valid when used with -j REDIRECT.... not -j DNAT as you are using (sorry - bad recall from memory there.)

Your original syntax does look correct - maybe just double check those dest ports are set correctly on both lines?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Well, is possibly something missing on this line?
-A FORWARD -i eth0 -o eth1 -d -p tcp -m tcp --dport 3399 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


Well it was correct, I had the gateway misstyped, thanks for the help
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.