Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello all. I want to use iptables on my server to forward VNC connections based on the connecting port, such that connecting on port 5900 goes to machine 1, 5901 to machine 2, etc. Here is a brief description of my home network:
Code:
Internet
|
Linksys Router
|
------------------------------------------------------------------- ... (more machines)
| | | |
Linux Server Windows box 1 Windows box 2 Linux workstation 1
with iptables VNC listen VNC listen VNC listen
(DMZ) port 5900 port 5900 port 5900
My internal network uses a typical class C private addressing scheme.
After reading up a bit, I tried changing my iptables rules to forward the ports, but I really didn't get any results. The thing I'm having trouble with is that all the instructions I found refer to the machine running iptables being the internet gateway for the network, with two ethernet interfaces. However, on my network, it is just another host with only one interface, but it is the DMZ host from the router, so it will get all the internet traffic. What I want to do is grab incoming connections on several different ports, and forward them to different IPs on port 5900, so that I don't have to change the listening ports on the individual machines, and create separate forwarding rules from the router.
For example:
In on eth0 port 5900 --> out on eth0 to Windows box 1 on port 5900
In on eth0 port 5901 --> out on eth0 to Windows box 2 on port 5900
In on eth0 port 5902 --> out on eth0 to Linux workstation 1 on port 5900
I currently have no iptables rules, because I'm not using it to protect my network at all, that's done already at the router. The only purpose iptables will serve is to forward those ports to the correct machines.
Why do you need the Linux box with iptables? The linksys router can do it for you. Just map virtual server on port 5900 to xp box 1, port 5900; 5901 to xp 2, port 5900 and finally 5902 to linux ws 1, port 5900.
The thing I'm having trouble with is that all the instructions I found refer to the machine running iptables being the internet gateway for the network, with two ethernet interfaces. However, on my network, it is just another host with only one interface, but it is the DMZ host from the router, so it will get all the internet traffic. What I want to do is grab incoming connections on several different ports, and forward them to different IPs on port 5900, so that I don't have to change the listening ports on the individual machines, and create separate forwarding rules from the router.
For example:
In on eth0 port 5900 --> out on eth0 to Windows box 1 on port 5900
In on eth0 port 5901 --> out on eth0 to Windows box 2 on port 5900
In on eth0 port 5902 --> out on eth0 to Linux workstation 1 on port 5900
As you dont have your DMZ to act as a gateway for rest of your boxes; you dont have to worry.. & the only thing you need to do is to place one more rule for postrouting as well; Thats it !
Here's your way out;
We initial think that you have 3 packets;
From internet (clients) heading towards your DMZ box;
Source/Destinationort
1. C1/DMZ:5900
2. C2/DMZ:5901
3. C3/DMZ:5902
Now please get one more thing clarified on your part; as you are only having one ethernet interface & that's also a part of your lan; (Further next in this reply i wont use DMZ for the mean of DMZ & only as a reference to that box).. i believe that all of the packets(internet traffic) which are being routed to you still has its source ip(as the real/public ip's); Though i am little confused about the job your linksys router is doing; but i am trying to clarify you the basics.
Prior these rules : Packet state : Source/destination ip= C1/DMZ
#iptables -t nat -A PREROUTING -p tcp --dport 5900 -d DMZ -j DNAT --to-destination windows-box:5900
#iptables -t nat -A POSTROUTING -p tcp -d windows-box -j SNAT -to-source DMZ(ip)
After these rules : Packet state : Source/destination ip= DMZ/WinBOX
& further we have to write these rules in the same way for rest of the packets as well.
Though be a little cautios as only initial --dport will change for rest of the two rules but the last one will always remain @ 5900.
I also expect that at kernel level packet forwarding is ON.
Why do you need the Linux box with iptables? The linksys router can do it for you. Just map virtual server on port 5900 to xp box 1, port 5900; 5901 to xp 2, port 5900 and finally 5902 to linux ws 1, port 5900.
My router doesn't have the option to change what port its on--I can forward ports, but not to different ports. I would have to listen on different ports on each machine, and have several different entries in my list, which is very limited to only about 10 entires.
My router functions as the internet gateway, the wireless access point (and associated bridging/routing between LAN and WLAN), DHCP server for DHCP clients, local DNS cache (my ISP isn't all that reliable), internet bandwidth throttling, and basic firewalling for the rest of the network. The server is a DMZ because it runs several things that need access from the internet, including FTP, SSH, and HTTP. Since my router is very limited in the number of forwardings I can do, I just set that machine as the DMZ. It runs Trustix Secure Linux, and I am absolutely sure no services are running that I don't want running, and I have all logins secured (block root, all users have good passwords, correctly configured sudoers file, etc.). This also isn't a mission-critical operation, so if my server does get compromised, its not a big deal. I watch my logs, and the most I get is typical dictionary bots attemtping to login with 'root', 'Administrator', and 'Administrateur'.
As for kernel level packet forwarding, I don't know if its on or not. How would I check and turn it on?
Last edited by cs.cracker; 09-02-2006 at 11:28 AM.
Thanks for all your help! It works just the way I want it now. Kernel IP forwarding was 0, so that was probably why my first attempts didn't do anything.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.