an example on iptables with redirect

emmendes · 11-22-2008, 12:00 PM

Hello

Unfortunately my linux server crashed a few days ago after an electricity shortage. The crash caused some bad blocks on a partition and after recovering most of my sh files I realized that the firewall script was gone without a trace. I found a backup but it wasn't updated enough so I lost all the rules regarding redirection.

It has been years since I last modified the file (I couldn't guess that the bad block would hit exactly the area where the firewall script was - I deserve it, I know!).

Ok. I need right now to get the box up by issuing the rules again.

Here is the configuration: two nics cards. One (eth0) with a public ip address that connects to the world. The second one (eth1) is 192.168.1.1 All other machines take ips from a dhcp server starting with 192.168.1.X

I need to connect 192.168.0.7 port 22 to eth0:43022.

The old copy of firewall allows all internal boxes to connect the internet.

Sorry for such a simple question (probably it has been answered several times but I couldn't find exactly what I want in the web - Perhaps the reason is my frustation and dispair!).

Many many thanks

Ed

rayfordj · 11-22-2008, 01:57 PM

something like...

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22

emmendes · 11-22-2008, 02:42 PM

Quote:

Originally Posted by rayfordj

something like...

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22

I remember that there was a second line. Could it something like the following?

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to
192.168.0.7 --dport 22
iptables -A FORWARD -p tcp --dport 43022 -j ACCEPT

Is the --dport 22 on the first line ok?

many thanks

Ed

win32sux · 11-22-2008, 05:50 PM

Quote:

Originally Posted by emmendes

I remember that there was a second line. Could it something like the following?

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to
192.168.0.7 --dport 22
iptables -A FORWARD -p tcp --dport 43022 -j ACCEPT

Is the --dport 22 on the first line ok?

many thanks

Ed

No, you'd need to specify the new port by just putting it next to the IP, like:

Code:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22

As for the second line, replace it with something like:

Code:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 43022 -m state --state NEW -j ACCEPT

Notice how the traffic direction was specified by use of the interface matches.

emmendes · 11-24-2008, 07:23 AM

Quote:

Originally Posted by win32sux

No, you'd need to specify the new port by just putting it next to the IP, like:

Code:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22

As for the second line, replace it with something like:

Code:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 43022 -m state --state NEW -j ACCEPT

Notice how the traffic direction was specified by use of the interface matches.

The first line doesn't work with iptables 1.2.9

unknown arg '--to'

Many thanks

Ed

rayfordj · 11-24-2008, 08:09 AM

Quote:

Originally Posted by emmendes

unknown arg '--to'

try --to-destination

Code:

--to-destination

if that does not work, check out the man page or docs for your specific version ;-)

emmendes · 11-25-2008, 04:31 PM

I tried to find some docs for that version but to no avail.

man is no longer available on the machine.

Many thanks

Ed