:smash:
I <JUST> realised my firewall was rediculously insecure.... I'm forwarding connections to a certain port to an internal machine, on a per-host basis... HOWEVER, this port forwarding doesnt seem to match to the host atall!

relavent setup:

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 41265 -j DNAT --to 192.168.1.37

$IPTABLES -A INPUT -i $EXT_IF -s $ANY -j ext_in

$IPTABLES -A ext_in -p tcp --dport 41265 -m state --state NEW -j custom_rule

$IPTABLES -A custom_rule -s 135.113.9.64 -j ACCEPT
$IPTABLES -A custom_rule -j DROP

can someone tell me what I've done wrong?
clients connect to <<myip>>:41265 and EVERYONE is forwarded to 192.168.1.37 ... ... ...

Thanks in advance for your help

Let's break this down so that you might understand why it's failing.

$IPTABLES -t nat -A PREROUTING

The above part of the command selects the PREROUTING entry from the nat table.

-i $EXT_IF

using the interface defined by $EXT_IF

-p tcp --dport 41265

directed at the TCP port 41265

-j DNAT --to 192.168.1.37

take this connection and DNAT it to the IP specified.

You'll notice, you haven't done any -s or -d flags(source and destination), so my question to you is, how did you expect it to NOT forward everyone to that port? Try something like:

$IPTABLES -t nat -A PREROUTING -p tcp --dport 41265 -s $ALLOWED_IP -i $EXT_IF -j DNAT --to $DESTINATION_IP:41265

and substitute as many entries as you think you'll need for $ALLOWED_IP

it was my understanding that the packets first went through the INPUT chain from the external interface...
I restrict by IP there...

but if it doesnt go through that chain I guess I'll have to add all the ip's in there.....

Nope, the order is loosely:

Prerouting->Input->Forward->Output->PostRouting

Prerouting and Postrouting are ALWAYS used, the others are obviously optional depending on the connection.

J