I wan't to open port 5800, 411-414 on my computer!

I have a linux router whit Slackware 8.

I wan't to fix in someway whit iptables so that port 5800 and 411-414 will be forwarded or something like that to my local computer on ip 192.168.0.2.

And allso if somebody can explain how to forwarind ports in general to my other computer.

The ports should be in both TCP and UDP!!

How do I do this.
I'm a newbie so please be gentle.

/Ludvig (Sweden)

What you serch is DNAT and the tool to make it is iptables.

If you want to learn try http://netfilter.samba.org/unreliabl....linuxdoc.html

Quick & dirty:
iptables -t nat -A PREROUTING -d <router internet ip> -p tcp --dport 5800 -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -d <router internet ip> -p tcp --dport 411:414 -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -d <router internet ip> -p udp --dport 5800 -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -d <router internet ip> -p udp --dport 411:414 -j DNAT --to 192.168.0.2

Good Luck!

It dosen't work.
I don't understand.
I can't figured out why.



I know it is port 5800 for VNC. Because I have portscanned my 192.168.0.2 computer. But it dosen't work. WHY???



Can you please help me to see why. And Direct Connect didn't work in active mode eider even thou I have made that iptables rules for port 411:414.

Please please help me.

/Ludvig

First of all you need a basic knoleage of iptables and netfiltering.
For any resource you can ever need go here http://www.linuxguruz.org/iptables/ (already posted in another thread) : don't warry, just start from iptables-HOWTO
With iptables-save (if you have installed it) you can view your actual configuration. Try to simplify your config to isolete the problem.

If it still doesn't work post iptables-save output so we can have more info to find the problem. Post error messages and related log messages too.

Last notes:
- remember to check /proc settings
- check that all related modules are loaded
- check ports needed for connection, not just open ports:
+ start tcpdump on pc 192.168.0.2
+ connect with your program from a pc in your local net
+ check tcpdump output for ports used during connection

Thanks for your quick replyes.

When I try iptables-save this comes upp:

#Gernerated by iptables.......2002
*filter
:INPUT ACCEPT [2:231]
:FORWARD DROP [0:]
:OUTPUT ACCEPT [2:80]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -j LOG
COMMIT
# Completed on Fri....2002
#Gernerated by iptables.......2002
:PREROUTING ACCEPT [28:1775]
: POSROUTING AVVEPT [1:48]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d <router internet ip> -p tcp --dport 5800 -j DNAT --to-destination 192.168.0.2
-A PREROUTING -d <router internet ip> -p tcp --dport 411:414 -j DNAT --to-destination 192.168.0.2
-A PREROUTING -d <router internet ip> -p udp --dport 5800 -j DNAT --to-destination 192.168.0.2
-A PREROUTING -d <router internet ip> -p udp --dport 411:414 -j DNAT --to-destination 192.168.0.2
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri....2002



I hope you can se if thats correct

In your last replay you wrote

- remember to check /proc settings
- check that all related modules are loaded
- check ports needed for connection, not just open ports:
+ start tcpdump on pc 192.168.0.2
+ connect with your program from a pc in your local net
+ check tcpdump output for ports used during connection


As I sad before I'm a newbie. So if you please can help me more specifik what to do it would be great.

In the module case. I think they alla work because my internet conection and local conection network works perfect.

Now I allso have tested VNC by my local network and that worked. But not by internet.

I have tested tcpdump but I don't realy know what I'm loking for.
But I have only tried whit tcpdump on my linux router. THe other compuer is WinXP. I don't know how to test it there.

How can I check what ports that is nesseary?

/Ludvig

vnc actually works over the 5900's..
i dont know for sure where the change happens, but the http part runs on the 5800's, but the client actually uses 5900's... im pretty sure the server accepts on 5900's.. if you google it, search for VNC.. the AT&T page has info that may be helpful.. and they also used to have an example of port forwarding with ssh.. may help you??

im actually going to be setting my new slackrouter in the next week or two so ill have to figure it out.. hope you have got it by then but if not, i should have an answer..

i think i was a little unclear..

when i said 'http part'.. i meant when you are viewing it in a browser...

by client i meant the vncviewer..

From what I can see the problem is with FORWARD table.
To check it try
iptables -P FORWARD ACCEPT

If it works then try
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP

To test for others ports used for connection (192.168.0.2 = Win* case):
- stop as much traffic as you can from and to 192.168.0.2!!
- go on router
- lunch #tcpdump -i <internal net interface, maybe eth0> host 192.168.0.2 and host <ip from you'll try to connect> | tee logfile.log
- from a machine in your local network (ip above) try to connect, do littele work and disconnect
- Ctrl-C at router and search in logfile.log: you see any packet trought interface eth0, look at port number (192.168.0.2.xxx)
If there are ports different from 5800 or 411:414 add it to your rules.
IMPORTANT NOTE: if you have a switched network this method probably doesen't work; in this case investigation is much more difficult (basically because 192.168.0.2 is Win* and you can't tcpdump from it (or I don't know how)) so give up with port test for the moment.

Much more important: to solve a not for newbie problem as this you need to study

Now I have tested. All things you sad.

I tested:
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP

All worked.


I tested tcpdump -i eth1 (eth1 is my local network interface)

Summary on that:
this was the singnal that was sent to my computer whit VNC

192.168.0.22.1331 > 192.168.0.2.5900

and when I tried whit the internet browser:
192.168.0.22.1331 > 192.168.0.2.5800

and i have PREROUTING both port 5800 and 5900...

That workes. But not when I go over the ner to my external ip. It doen't work att all.

My network is not switched.

Sorry, probably I wasn't much clear: when i say "check if it works" I don't think to command execution but to connection with VNC from the internet.
#iptables -P FORWARD ACCEPT
and try to connect to your router from the internet with VNC:
- if it works report it here so we can have a better securing.
- if not ... I don't know

First I tried with out the rules you sad. Then nothing worked on my local computer. Not even to surf.
Then I aded
iptables -P FORWARD ACCEPT

Internet worked and no VNC.

Then I aded
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

No VNC but internet
And then
iptables -P FORWARD DROP
No VNC but internet.


So that didn't work.

I have a possible solution. Can't you send me your rc.firewall so that I can match them. And mayby change my out. Bether upp is if you can put your script on a homepage so that I can download it whit lynx.

Please Please help me.

Don't give upp.

My situation is this:
- I've a good knowledge of ipfiltering (iptables) BUT before I had no need of DNAT so I haven't ever realized one
- I'm very interested in makeing it work because I'm planning to do something similar (for www, mail, ... daemons)

So:
- I haven't a ready to use rc.firewall script which perform port forwarding
- if you want we can track back the problem but to do it we'll need some time, maybe someone more experienced in this area can solve your (and my) problem quickly ... if someone out there have the solution just post
However I've no intention of giving up ... I'm just thinking what's best for you.

Just if you decide to continue (and nobody post the solution ) I need to know somethings:
- your router is a *production* router = if it has temp. problems you could get fired? (just ask)
- you have a linux machine in your local network (other that router), even in dualboot, so we can make some deeper test?
- you can try connection from internet to your router easily (just going to the other room) or just 1 time a day (ex. from work)?
My idea is start from VERY simple situation and then scale up, it's a bit longer but usually works .. and certainly we lern much more

Last notes:
- as you can see from my registration date I'm new in this forum and I don't know if continue problem-tarcking posting here (maybe thread became too long ) or by private mail.
- probably in some days (max a week) I can make my local tests too, with realtime checking if it works.

I wan't to continu. As you sad we learn very much out of this. So lets try agian. I will no try to write my network upp for you.


--------------------[Internet]
-----------------------/
----------------------/(eth0)
---------------------/
---------------[Router] (Slackware 8.0)
------------------/
-----------------/(eth1)
----------------/
-------------[Hubb (10Mbit)]
-------------/--------------\
---[Computer 1]-------------[Computer 2]
--- WinXp (Standard)-------WinME
--- Linux Red Hat 7.2-------(192.168.0.22)
----(192.168.0.2)--------------(VNC client)
----(VNC Server and DC)


The router is a PI 166 MHz 48MB ram.
Computer 1 is a PIII 667 MHz 512MB ram
Computer 2 is a PII 400MHz 256MB ram
ehh???

Hope you understand. I have alla the computers in the same rome. So I can test when ever you want.
I don't realy understand what you mean by *production* router. The router is just in my home network. I can to what ever I wan't with it.

And It is on Computer 1 I wan't it to work on.

I don't see any problems in continuing posting here. But as to be sure to don't lose our contact we can continu by mail.
I have seend you my e-mail adress.




But another thing whit posting here is that mayby som more experinced (as you sad) my read this and come whit help. But they have seen the start so then they can ad in this forum.


Hope all this information can help you to help me.

Thanks for all the help at this time.

ANYONE OUT THERE WHO WANTS TO HELP US.........