Solved

IPtables firewall | RDP access

Posted on 2010-09-14
16
907 Views
Last Modified: 2013-11-16
Hi All

I've got a question for all you iptables experts out there.
I currently have a ubuntu 10.04 iptables firewall with nat enabled. The server has approximately 8 internet ipadress that I would like map RDP sessions to on my internal network.
internet-IP-1 --> RDP --> internal-server-1
internet-IP-2 --> RDP --> internal-server-2
internet-IP-3 --> RDP --> internal-server-3
internet-IP-4 --> RDP --> internal-server-4
internet-IP-5 --> RDP --> internal-server-5

would someone be able to give me the syntax that I would need to use please

Many thanks in advance
0
Comment
Question by:TazzEE
  • 9
  • 7
16 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 33669794
iptables -I PREROUTING -d <internet_IP_1> -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
iptables -I FORWARD -d <internal_IP_1> -m tcp -p tcp --dport 3386 -j ACCEPT

You could also limit the allowed remote IP addresses in these rules
0
 

Author Comment

by:TazzEE
ID: 33669837
Cool I'll give that a try and get back to you. Thanks for the quick reply
0
 
LVL 16

Accepted Solution

by:
Blaz earned 300 total points
ID: 33669860
Just noticed that the first statement is missing "-t nat", so:
iptables -t nat -I PREROUTING -d <internet_IP_1> -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
0
 

Author Comment

by:TazzEE
ID: 33670409
Hi Blaz, that still doesn't work. I've removed all additional IP's from this server so that is now only has one just to simplify thing but still no joy.
Any suggestions?  
0
 
LVL 16

Expert Comment

by:Blaz
ID: 33670638
Maybe you could share with us what doesn't work. Did the console command return an error? What tests did you perform etc.

You could start with giving us your configuration - please post the outputs of commands:
iptables -L -nvx
iptables -t nat -L -nvx
ifconfig
0
 

Author Comment

by:TazzEE
ID: 33670947
Sorry the RDP connection does not connect all commands seem fine. I tried to connect to 109.231.73.70 via a RDP client on a xp pc.  
 

root@ubuntu:~# iptables -L -nvx

Chain INPUT (policy DROP 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

       0        0 ACCEPT     all  --  eth1   *       172.29.0.0/24        0.0.0.0/0

       0        0 REJECT     all  --  eth0   *       172.29.0.0/24        0.0.0.0/0           reject-with icmp-port-unreachable

       0        0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            109.231.73.64/29

     203    19506 ACCEPT     all  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate RELATED,ESTABLISHED

       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:80

       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:443

       2       96 ACCEPT     tcp  --  eth0   *       195.234.243.130      109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:22

      67    10789 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable



Chain FORWARD (policy DROP 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.29.4.100        tcp dpt:3389

       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED

       0        0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0

       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0

       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable



Chain OUTPUT (policy DROP 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       0        0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID

       0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

       0        0 ACCEPT     all  --  *      eth1    109.231.73.64/29     172.29.0.0/24

       0        0 ACCEPT     all  --  *      eth1    172.29.4.2           172.29.0.0/24

       0        0 REJECT     all  --  *      eth0    0.0.0.0/0            172.29.0.0/24       reject-with icmp-port-unreachable

     205    29952 ACCEPT     all  --  *      eth0    109.231.73.64/29     0.0.0.0/0

       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

root@ubuntu:~# iptables -t nat -L -nvx

Chain PREROUTING (policy ACCEPT 69 packets, 10885 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       0        0 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.70       tcp dpt:3389 to:172.29.4.100:3389



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination

      14      997 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT 14 packets, 997 bytes)

    pkts      bytes target     prot opt in     out     source               destination

root@ubuntu:~# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3e:36:a6:d6

          inet addr:109.231.73.70  Bcast:109.231.73.71  Mask:255.255.255.248

          inet6 addr: fe80::216:3eff:fe36:a6d6/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:9320 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9088 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:785190 (785.1 KB)  TX bytes:4222437 (4.2 MB)

          Interrupt:32 Base address:0x8000



eth1      Link encap:Ethernet  HWaddr 00:16:3e:57:60:8a

          inet addr:172.29.4.2  Bcast:172.29.4.255  Mask:255.255.255.0

          inet6 addr: fe80::216:3eff:fe57:608a/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:314 errors:0 dropped:0 overruns:0 frame:0

          TX packets:111 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:34249 (34.2 KB)  TX bytes:7386 (7.3 KB)

          Interrupt:36 Base address:0xc100



lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:51333 errors:0 dropped:0 overruns:0 frame:0

          TX packets:51333 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:5749272 (5.7 MB)  TX bytes:5749272 (5.7 MB)

Open in new window

0
 
LVL 16

Expert Comment

by:Blaz
ID: 33671134
It seems that your previous "primary" external IP was x.x.x.64. You have several rules writen to that IP so it might be a good idea to leave that IP in... But this has nothing to do with your problem.

To me it seems that the proper DNAT rule is in place:
      0        0 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.70       tcp dpt:3389 to:172.29.4.100:3389

What is strange is that the packet count is 0 for this rule - that means that no packet matching the rule did not come to the machine.

Oh - this just came to me - where did you test the RDP connection from? From a machine inside the network (172.29.4.x)? You should be somewhere on the internet to test this. Maybe (for testing purposes) you could also change the rule to:

iptables -t nat -I PREROUTING -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386

This means the redirection will cover any IP - even internal one (172.29.4.2)
0
 

Author Comment

by:TazzEE
ID: 33671466
I was testing from an external pc out on the internet. Is there any way I can turn up the logging for this so it can give me some more details as to why it is being blocked?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 16

Expert Comment

by:Blaz
ID: 33671586
Logging is usually done with iptables rules themselves:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 3389 -j LOG --log-prefix "PreroutingLog"

Then in /var/log/messages you receive an input for every packet. A good log is also the packet/byte counters outputed by command "iptables -t nat -nvx". If you can't get the packet at the PREROUTING chain there is a good chance that the packet never got to the machine.

Is there any firewall in the path? Does your internet provider allow connections on port 3389? What if you try to change to another port, like 43389? Does a connection to your web server work from outside?
0
 

Author Comment

by:TazzEE
ID: 33672652
I've tried using a different port with no luck and I tried to nat web traffic through to another server with no luck. I, now seeing some traffic hitting the rules using the command you sent me but I'm still being blocked somewhere along the line.
root@ubuntu:~# iptables -t nat -L -nvx

Chain PREROUTING (policy ACCEPT 2 packets, 289 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       1       48 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.64/29    tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.100:3389

       3      144 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.64/29    tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.86:80



Chain POSTROUTING (policy ACCEPT 1 packets, 48 bytes)

    pkts      bytes target     prot opt in     out     source               destination

      30     2120 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT 29 packets, 2060 bytes)

    pkts      bytes target     prot opt in     out     source               destination

Open in new window

0
 
LVL 16

Expert Comment

by:Blaz
ID: 33672730
Great. If you see packet count increasing on the NAT rules then some traffic is comming to your machine. You can also insert a LOG rule that will log the packet to /var/log/messages (so you can inspect also source IP etc.).

Now the next question is what is happening in the FORWARD chain - is any traffic hitting the rule in FORWARD chain?
iptables -L FORWARD -nvx

If not then you must search for reasons for that - wrong interfaces specified etc.

If the FORWARD rule has nonzero packet count then the problem might be the reverse traffic - from your (internal) server to the client (on the internet).

Is this machine 172.29.4.2 your only firewall (and default gateway on all internal machines)? Does web access work from internal network through this machine? What is the output of command:
cat /proc/sys/net/ipv4/ip_forward
0
 

Author Comment

by:TazzEE
ID: 33673031
Ok the FORWARD rule seems to be working fine. Yes all my internal servers are using this box as its gateway. I can ping an extrenal DNS server and I can surf the web with no problems. I've also RDP out from the server to another server on the web with no problems.
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1


Chain FORWARD (policy DROP 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       5      240 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED

       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED

       0        0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0

       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0

       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Open in new window

0
 

Author Comment

by:TazzEE
ID: 33673310
ok I got the websote to work (a typo on my side) but the RDP still no joys :(
0
 

Author Comment

by:TazzEE
ID: 33674008

Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.
Blaz many many thanks for your help and patents with this  
0
 

Author Comment

by:TazzEE
ID: 33674011
Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.

Blaz many many thanks for your help and patents with this
0
 
LVL 16

Expert Comment

by:Blaz
ID: 33679581
Great that you got it working.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Users are often faced with high disk consumption without really knowing where the largest amount of data resides. Disk Usage Analyzer (aka Baobab) is is a graphical, menu-driven application to analyse disk usage in any Gnome environment and can e…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now