• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3434
  • Last Modified:

IPTables rules - Debian Port Forward for Remote Desktop

Hi,
I  need an example rule how to forward say a 3386 port to the standard 3389 port on to the local net
I have this rule, but it doesn't seam to work for some reason, is something missing?

-A PREROUTING -d 203.213.x.x -p tcp -m tcp --dport 3386 -j DNAT --to-destination 10.0.0.6:3399
-A FORWARD -i eth0 -o eth1 -d 10.0.0.6 -p tcp -m tcp --dport 3399 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

I basically want the RDP session coming in from outside on eth0  port 3386 to be relayed onto lan ip 10.0.0.6 with port 3389
-A PREROUTING -d 203.213.x.x -p tcp -m tcp --dport 3386 -j DNAT --to-destination 10.0.0.6:3399 
-A FORWARD -i eth0 -o eth1 -d 10.0.0.6 -p tcp -m tcp --dport 3399 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Open in new window

0
tom_szabo
Asked:
tom_szabo
  • 4
  • 3
1 Solution
 
ACollyerCommented:
Try changing the first line to:

-A PREROUTING -d 203.213.x.x -p tcp -m tcp --dport 3386 -j DNAT --to-destination 10.0.0.6 --to-ports 3389
0
 
tom_szaboAuthor Commented:
Thanks for that but doesn't seam to be correct, I get an error message

>Unknown arg '--to-ports'

0
 
ai_ja_naiCommented:
This is a guide that I gave in the past to clone the traffic of an host to a different one
http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/

Baically, it takes advantage of TEE target (which you have to add with a patch on your existing iptables) which copies everything

On source host:
iptables -t mangle -A PREROUTING -p udp dport 9996 -j TEE gateway <IP of HOST B>

On target host:
iptables -t nat -A PREROUTING -p udp -d <IP of HOST A> dport 9996 -j DNAT to-destination <IP of HOST B>:<Port>
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ACollyerCommented:
Just had a double take of your original two lines.... not sure if it's a direct copy/paste from your script or not, but the dest port on both lines appears to be 3399 instead of 3389.
0
 
tom_szaboAuthor Commented:
well, the problem is with the fact that it doesn't like the "..--to-ports 3389".."
It appears to be a syntax issue, I can't even load the "active" definitions
0
 
ACollyerCommented:
It turns out --to-ports is only valid when used with -j REDIRECT.... not -j DNAT as you are using (sorry - bad recall from memory there.)

Your original syntax does look correct - maybe just double check those dest ports are set correctly on both lines?
0
 
tom_szaboAuthor Commented:
Well, is possibly something missing on this line?
-A FORWARD -i eth0 -o eth1 -d 10.0.0.6 -p tcp -m tcp --dport 3399 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT



0
 
tom_szaboAuthor Commented:
Well it was correct, I had the gateway misstyped, thanks for the help
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now