Morning all, I did read through some of the posts, none of which gave that golden ticket, so here is the question. I haven't touch iptables in 4/5 years and finally getting back into the game, and need that kick start. This is a public web/dns/mail server with both internal / external nic's and I now wish to port forward vnc traffic (5500,5800,5900) to an internal address. sysctl.conf has the ip_forward flag set to 1.

iptables -L shows the following;

Chain INPUT (policy ACCEPT)/sys/net/ipv4/ip_forward
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5502
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5800
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5900
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Now, I did restart iptables as nothing is hardcoded, but I am trying numerous command line entries. The way they setup the box, eth0 is the external and eth1 is the internal. I played with;
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 5800 -j DNAT --to 10.3.15.20:5800

/sbin/iptables -A FORWARD -p tcp -i eth1 -d 10.3.15.20 --dport 5800 -j ACCEPT

nothing seeming to work (I did add the other 5500 and 5900 as well). Saw a few posts on adding a log to at least see if it is hitting the external card, so any help on that is appreciated. Also, I only want the above allowed through, so should that any/accept policy be trashed?

Thanks for all replies and suggestions.

Lance

First off I just wanted to note that your firewall has all the chains set to ACCEPT all by default. This means that unless any traffic is specifically rejected / dropped than your firewall is going to accept it. That is NOT good from a security perspective. A firewall should be configured to DENY be default and then you can explicitly define what you want to accept.

Now on to your issue. The only way we can really see what the firewall is doing is by adding a log entry to see if it is getting dropped off for any other reason.

You could try the following:

Log all incoming traffic: OR
Log all traffic to the ports you want (repeat for other ports): Watch the log files and this will start the troubleshooting process. If you are still having issues post the logs as well.

HTH,

Centinul

ok, re-ran my iptables at the command and re-show;


Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp dpt:5800 LOG level warning
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp dpt:5800 LOG level warning
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere stua.austintravel.com tcp dpt:5800
ACCEPT tcp -- anywhere stua.austintravel.com tcp dpt:5900
ACCEPT tcp -- anywhere stua.austintravel.com tcp dpt:5500

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5502
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5800
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5900
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

So it looks like that is now running, I am waiting for confirmation they are in the office with the app running, but where does the logging go, not the /var/log/messages file, right?

Also, I kinda figured that on the accept all, so if everything else looks correct under (allowing what I want) I assume I can just remove that entry, right?

Thanks again. Will report back a bit later with updates.