LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 09-01-2006, 11:46 PM   #1
cs.cracker
LQ Newbie
 
Registered: Mar 2005
Distribution: Gentoo
Posts: 22

Rep: Reputation: 15
iptables and port forwarding


Hello all. I want to use iptables on my server to forward VNC connections based on the connecting port, such that connecting on port 5900 goes to machine 1, 5901 to machine 2, etc. Here is a brief description of my home network:
Code:
              Internet
                  |
            Linksys Router
                  |
      ------------------------------------------------------------------- ... (more machines)
      |                  |               |                  |
 Linux Server       Windows box 1   Windows box 2   Linux workstation 1
 with iptables       VNC listen      VNC listen        VNC listen
    (DMZ)            port 5900       port 5900         port 5900
My internal network uses a typical class C private addressing scheme.

After reading up a bit, I tried changing my iptables rules to forward the ports, but I really didn't get any results. The thing I'm having trouble with is that all the instructions I found refer to the machine running iptables being the internet gateway for the network, with two ethernet interfaces. However, on my network, it is just another host with only one interface, but it is the DMZ host from the router, so it will get all the internet traffic. What I want to do is grab incoming connections on several different ports, and forward them to different IPs on port 5900, so that I don't have to change the listening ports on the individual machines, and create separate forwarding rules from the router.

For example:
In on eth0 port 5900 --> out on eth0 to Windows box 1 on port 5900
In on eth0 port 5901 --> out on eth0 to Windows box 2 on port 5900
In on eth0 port 5902 --> out on eth0 to Linux workstation 1 on port 5900

I currently have no iptables rules, because I'm not using it to protect my network at all, that's done already at the router. The only purpose iptables will serve is to forward those ports to the correct machines.
 
Old 09-02-2006, 01:33 AM   #2
nuxrl
Member
 
Registered: Jun 2006
Location: NY, USA
Distribution: Slackware, Arch
Posts: 176

Rep: Reputation: 35
Why do you need the Linux box with iptables? The linksys router can do it for you. Just map virtual server on port 5900 to xp box 1, port 5900; 5901 to xp 2, port 5900 and finally 5902 to linux ws 1, port 5900.
 
Old 09-02-2006, 07:27 AM   #3
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by cs.cracker
The thing I'm having trouble with is that all the instructions I found refer to the machine running iptables being the internet gateway for the network, with two ethernet interfaces. However, on my network, it is just another host with only one interface, but it is the DMZ host from the router, so it will get all the internet traffic. What I want to do is grab incoming connections on several different ports, and forward them to different IPs on port 5900, so that I don't have to change the listening ports on the individual machines, and create separate forwarding rules from the router.

For example:
In on eth0 port 5900 --> out on eth0 to Windows box 1 on port 5900
In on eth0 port 5901 --> out on eth0 to Windows box 2 on port 5900
In on eth0 port 5902 --> out on eth0 to Linux workstation 1 on port 5900
As you dont have your DMZ to act as a gateway for rest of your boxes; you dont have to worry.. & the only thing you need to do is to place one more rule for postrouting as well; Thats it !

Here's your way out;

We initial think that you have 3 packets;
From internet (clients) heading towards your DMZ box;
Source/Destinationort
1. C1/DMZ:5900
2. C2/DMZ:5901
3. C3/DMZ:5902

Now please get one more thing clarified on your part; as you are only having one ethernet interface & that's also a part of your lan; (Further next in this reply i wont use DMZ for the mean of DMZ & only as a reference to that box).. i believe that all of the packets(internet traffic) which are being routed to you still has its source ip(as the real/public ip's);
Though i am little confused about the job your linksys router is doing; but i am trying to clarify you the basics.

Prior these rules : Packet state : Source/destination ip= C1/DMZ
#iptables -t nat -A PREROUTING -p tcp --dport 5900 -d DMZ -j DNAT --to-destination windows-box:5900
#iptables -t nat -A POSTROUTING -p tcp -d windows-box -j SNAT -to-source DMZ(ip)
After these rules : Packet state : Source/destination ip= DMZ/WinBOX

& further we have to write these rules in the same way for rest of the packets as well.
Though be a little cautios as only initial --dport will change for rest of the two rules but the last one will always remain @ 5900.

I also expect that at kernel level packet forwarding is ON.
 
Old 09-02-2006, 11:25 AM   #4
cs.cracker
LQ Newbie
 
Registered: Mar 2005
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by nuxrl
Why do you need the Linux box with iptables? The linksys router can do it for you. Just map virtual server on port 5900 to xp box 1, port 5900; 5901 to xp 2, port 5900 and finally 5902 to linux ws 1, port 5900.
My router doesn't have the option to change what port its on--I can forward ports, but not to different ports. I would have to listen on different ports on each machine, and have several different entries in my list, which is very limited to only about 10 entires.

My router functions as the internet gateway, the wireless access point (and associated bridging/routing between LAN and WLAN), DHCP server for DHCP clients, local DNS cache (my ISP isn't all that reliable), internet bandwidth throttling, and basic firewalling for the rest of the network. The server is a DMZ because it runs several things that need access from the internet, including FTP, SSH, and HTTP. Since my router is very limited in the number of forwardings I can do, I just set that machine as the DMZ. It runs Trustix Secure Linux, and I am absolutely sure no services are running that I don't want running, and I have all logins secured (block root, all users have good passwords, correctly configured sudoers file, etc.). This also isn't a mission-critical operation, so if my server does get compromised, its not a big deal. I watch my logs, and the most I get is typical dictionary bots attemtping to login with 'root', 'Administrator', and 'Administrateur'.

As for kernel level packet forwarding, I don't know if its on or not. How would I check and turn it on?

Last edited by cs.cracker; 09-02-2006 at 11:28 AM.
 
Old 09-02-2006, 11:37 AM   #5
nuxrl
Member
 
Registered: Jun 2006
Location: NY, USA
Distribution: Slackware, Arch
Posts: 176

Rep: Reputation: 35
Thanks for sharing the info.

Quote:
As for kernel level packet forwarding, I don't know if its on or not. How would I check and turn it on?
Code:
$cat /proc/sys/net/ipv4/ip_forward
If it has "0", it's not enabled. To enable it,

Code:
#echo "1" > /proc/sys/net/ipv4/ip_forward
 
Old 09-02-2006, 01:03 PM   #6
cs.cracker
LQ Newbie
 
Registered: Mar 2005
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks for all your help! It works just the way I want it now. Kernel IP forwarding was 0, so that was probably why my first attempts didn't do anything.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
port forwarding with iptables kkennedy Linux - Networking 1 09-01-2005 06:48 PM
IPTABLES and port forwarding freibuis Linux - Networking 5 04-21-2004 09:06 PM
port forwarding with iptables David_99 Linux - Security 5 12-09-2003 08:37 PM
Iptables w/port forwarding claytonj25 Linux - Security 8 12-22-2001 08:30 AM


All times are GMT -5. The time now is 12:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration