LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 07-04-2005, 07:24 PM   #1
geoff3425
LQ Newbie
 
Registered: Feb 2005
Location: Vermont
Distribution: Slackware 10.1
Posts: 5

Rep: Reputation: 0
iptables port forwarding


First I would like to thank everyone here. I have always found that the questions that I have had have already been answered.

I have a broadband connection at home with a static IP address. I have a slackware server that runs my e-mail server and firewall. I am trying to forward the Windows RDP port to my XP box so I can remote control it when I am at the office. My firewall script follows. What have I done wrong? I have used this script for a long time and just added the stuff for RDP.

Code:
#
#!/bin/bash

# simple firewall (for now)

# set the external ethernet interface
EXTIF="eth1"
# set the internal ethernet interface
INTIF="eth2"

case "$1" in
'start')

        # setup spoofing protection
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
            for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $f
            done
        else
            echo
            echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED."
            echo
        fi


        # Flush any previous rules
        iptables -F

        # accept anything from the local host
        iptables -A INPUT -i lo -j ACCEPT

        # accept anything coming into other interfaces than eth0
        iptables -A INPUT -i ! $EXTIF -j ACCEPT

        #allow ssh from anywhere
        iptables -A INPUT -i $EXTIF -p tcp --destination-port ssh -j ACCEPT

        #allow dns from anywhere
        ##iptables -A INPUT -i $EXTIF -p tcp --destination-port 53 -j ACCEPT

        #allow web from anywhere
        iptables -A INPUT -i $EXTIF -p tcp --destination-port http -j ACCEPT
        iptables -A INPUT -i $EXTIF -p tcp --destination-port 443 -j ACCEPT

        #allow webmin from anywhere
        ##iptables -A INPUT -i $EXTIF -p tcp --destination-port 10000 -j ACCEPT

        #allow mail from anywhere
        iptables -A INPUT -i $EXTIF -p tcp --destination-port smtp -j ACCEPT
        #iptables -A INPUT -i $EXTIF -p tcp --destination-port submission -j ACCEPT

        #allow imap from anywhere
        iptables -A INPUT -i $EXTIF -p tcp --destination-port imap -j ACCEPT

        #allow RDP from anywhere
        iptables -A INPUT -i $EXTIF -p tcp --destination-port 3389 -j ACCEPT

        # Accept packets from established or related connections from anywhere.
        iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Drop all attempts at establishing a connection from the internet
        iptables -A INPUT -i $EXTIF -p tcp --syn -j DROP

        # Setup forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

        # forward RDP to local machine
        iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT --to 192.168.0.85:3389

        # setup the NAT!
        iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

        # If they were not accepted from above rules, drop them.
        iptables -P INPUT DROP

        ;;
# okay now lets setup some rules....
'stop')
        echo "Flushing firewall settings.  We are WIDE OPEN TO THE WORLD !!!!"
        echo 0 > /proc/sys/net/ipv4/ip_forward
        iptables -F INPUT
        iptables -P INPUT ACCEPT
        ;;
*)
        echo "Usage: $0 { start | stop }"
        ;;
esac

#
Thanks in advance.
 
Old 07-05-2005, 04:30 AM   #2
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
I am not iptables expert, but :
Code:
 # forward RDP to local machine
  iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT --to 192.168.0.85:3389
Shouldn't be :
Code:
# forward RDP to local machine
 iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3389 -d 192.168.0.85 -j ACCEPT
[edit]
Or maybe both, I say that because with the DNAT rule, you don't forward
the packet, you tell to iptables to change the destination address
(I can be wrong as this is how I understood it)

Last edited by keefaz; 07-05-2005 at 04:55 AM.
 
Old 07-05-2005, 07:11 AM   #3
geoff3425
LQ Newbie
 
Registered: Feb 2005
Location: Vermont
Distribution: Slackware 10.1
Posts: 5

Original Poster
Rep: Reputation: 0
This was my problem, I do not understand the man pages about thsi not any of the how-to's. I tried yours alone and then both and it still didn't work. I did verify that I could RDP to this machine from inside the firewall.

Thanks for trying.
 
Old 07-05-2005, 07:27 AM   #4
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
I would try to remove -d 192.168.0.85 in the FORWARD rule
as the destination address may not be 192.168.0.85 at this time
 
Old 07-05-2005, 07:41 AM   #5
suid0
Member
 
Registered: Jul 2005
Location: Brazil
Distribution: Slackware, openSuSe, Ubuntu, Fedora
Posts: 56

Rep: Reputation: 16
You can use both FORWARD and PREROUTING.
The FORWARD rule is only used when you have changed something like the default POLICY from ACCEPT to DROP

This is dirty but it works when we're testing something
iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT destIP:3389

And be sure to check if the IP is correct!
 
Old 07-05-2005, 07:46 AM   #6
geoff3425
LQ Newbie
 
Registered: Feb 2005
Location: Vermont
Distribution: Slackware 10.1
Posts: 5

Original Poster
Rep: Reputation: 0
I do use DHCP but the address is correct but it does not work with it removed either.

I thought this was going to be a simple little project.

Thanks
 
Old 07-05-2005, 07:54 AM   #7
suid0
Member
 
Registered: Jul 2005
Location: Brazil
Distribution: Slackware, openSuSe, Ubuntu, Fedora
Posts: 56

Rep: Reputation: 16
When everything should work but it don't, I just put the policies to ACCEPT and remove everything with -j DROP. I know it's stupid but I do this to be sure I have a firewall rule as my problem and not a network problem.
 
Old 07-05-2005, 07:56 AM   #8
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
For my part, when I play with iptables, I add a rule like this :

iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG \
--log-prefix 'DROPPED INPUT : '

just before the last rule :
iptables -A INPUT -j DROP

Then I open a terminal and I do :
tail -f /var/log/syslog

So I start network connection testing while I read the
output from the syslog, I am then able to see why some
packets are blocked and I change the rules accordingly
 
Old 07-05-2005, 08:08 AM   #9
geoff3425
LQ Newbie
 
Registered: Feb 2005
Location: Vermont
Distribution: Slackware 10.1
Posts: 5

Original Poster
Rep: Reputation: 0
OK suid0's suggestion worked. But you say it is dirty? What would be the better way to do this? I would like to refine this and use it at a High school that is also a ski school. They train Olympic caliber kids for Nordic and Alpine skying. They travel pretty extensively and still have to keep up with their studies. A few of us volunteer our time to keep the network up and running.
 
Old 07-05-2005, 08:18 AM   #10
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
Quote:
OK suid0's suggestion worked.
suid0's suggestion :
Quote:
I just put the policies to ACCEPT and remove everything with -j DROP
So basically, a rule (or some) block some incoming connection,
that's why I suggest you to log the incoming connections and see where
they're being blocked
 
Old 07-05-2005, 08:26 AM   #11
geoff3425
LQ Newbie
 
Registered: Feb 2005
Location: Vermont
Distribution: Slackware 10.1
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by keefaz
suid0's suggestion :

So basically, a rule (or some) block some incoming connection,
that's why I suggest you to log the incoming connections and see where
they're being blocked
Sorry I am not used to this kind of communication. Everyone posting at the same time, I was trying things and others were posting. What I did that worked was:

Code:
You can use both FORWARD and PREROUTING.   
The FORWARD rule is only used when you have changed something like the default POLICY from ACCEPT to DROP    
This is dirty but it works when we're testing something  iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT destIP:3389    
And be sure to check if the IP is correct!
The logging was a great suggestion, I was looking for a way to do that but could not find it nor did I think of asking that question here either.
 
Old 07-05-2005, 08:26 AM   #12
suid0
Member
 
Registered: Jul 2005
Location: Brazil
Distribution: Slackware, openSuSe, Ubuntu, Fedora
Posts: 56

Rep: Reputation: 16
Put DROP rules one by one.... Till the problem occurs. If you're using a script with hundreds of rules... don't do it or you'll go crazy.

This is a good way for learning and know what happened.

The next time, use the LOGS. You should do this to understand the firewall logs and then by the next time you have an issue like this one, just check the logs and you'll be able to find the problem.
 
Old 07-05-2005, 08:34 AM   #13
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
Also the last line :
iptables -P INPUT DROP

should be :
iptables -A INPUT DROP

The -P set the policy to INPUT target, so better is to set it
at the beginning of the iptables script, just after : iptables -F

iptables -A INPUT DROP means all packets that haven't been
treated by the previous rules are blocked
 
Old 12-20-2011, 11:50 AM   #14
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Rep: Reputation: 16
rdp behind the iptables

below is my network structure:

internet-----------router--------proxy(squid)-----------win-7(rdp)

Squid Proxy:
eth0: 192.168.1.100
eth1: 192.168.3.21
******************
internal Network:
192.168.3.xxx
******************
Pblic IP is nated with internel network IP

Now I want to access the rdp of win-7 machine from outside. but unable to access that

my iptables are given below:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -d 192.168.3.100 -j DNAT --to-destination 192.168.3.xx:3389

*************************************************************************************************
#iptables -nvL
222K 10M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
431K 179M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

[root@xxxxxxx ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2861K packets, 248M bytes)
pkts bytes target prot opt in out source destination
1 48 DNAT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:3389 to:192.168.3.61:3389

#cat /proc/net/ip_conntract | grep 3389
tcp 6 76 SYN_SENT src=xxx.xxx.xxx.xx dst=192.168.3.61 sport=3275 dport=3389 packets=3 bytes=144 [UNREPLIED] src=192.168.3.61 dst=212.100.219.15 sport=3389 dport=3275 packets=0 bytes=0 mark=0 secmark=0 use=1
(i think he is not getting reverse path)

Kindly help me to resolve this issue.

Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
port forwarding with iptables kkennedy Linux - Networking 1 09-01-2005 07:48 PM
Iptables -- Port Forwarding slack_baby Linux - Networking 3 06-03-2004 03:29 PM
IPTABLES #Port Forwarding goldenmag Linux - Security 4 11-21-2003 08:10 AM
IPTABLES port forwarding sal_paradise42 Linux - Networking 5 10-25-2003 05:11 PM


All times are GMT -5. The time now is 03:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration