Help in iptables rules
I have the following setup at a site and need some help in the iptable rules to allow rdp to port forward.
The setup: Internal LAN is a Windows 2000 server (serverA) Linux server (serverB) with 2 NIC (1 internal and 1 to the router (Netcomm NB1300) internal LAN 192.168.15.x (server = .5) network between Linux and router 192.168.20.x (linux=.200; router = .254) external ip = 203.214.139.170 (example) ServerA ---ServerB------Router----Internet Output rule $IPT -A OUTPUT -o $EXT_IFACE -p tcp --dport 3389 -j ACCEPT # rdp Forward Rule $IPT -A FORWARD -i $EXT_IFACE -o $INT_IFACE -p tcp --dport 3389 -d $WIN_SRV -j ACCEPT # I was told I needed the following, do I need to get rid of the one rule above? $IPT -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp --sport 3389 -d $WIN_SRV -j ACCEPT Results when trying to access server remotely using Windows Remote Desktop Connection # using tethereal on Linux server (serverB) Capturing on eth0 0.000000 202.89.176.40 -> 192.168.0.5 TCP 1195 > 3389 [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1432 0.000161 192.168.0.5 -> 202.89.176.40 TCP 3389 > 1195 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0 0.483105 202.89.176.40 -> 192.168.0.5 TCP 1195 > 3389 [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1432 0.483242 192.168.0.5 -> 202.89.176.40 TCP 3389 > 1195 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 0.987058 202.89.176.40 -> 192.168.0.5 TCP 1195 > 3389 [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1432 0.987207 192.168.0.5 -> 202.89.176.40 TCP 3389 > 1195 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 Thanks for any info that can help |
one thing is not clear that is your linux server acting as firewall for lan or it is the part of lan. another thing i noticed from your config is you have mention only one real ip that is on router so from internet you can not access your lan until you do not enable nating on router
|
Quote:
The RST,ACK packet back from the windows box looks like the problem is on the windows machine. Check for firewalls. Can any other machines on the network between server a and b connect to A on RDP? Make sure the RDP service is on, available, and not firewalled on the windows machine, and make sure the windows machine is set to use the linux machine as its default route (aka gateway). |
Help in iptables rules
Quote:
|
Ok now you can simply accomplish it by using the nat chain with POSTROUTING and PREROUTING respectively SNAT and DNAT
Put these lines in your firewall script /sbin/iptables -t nat -A POSTROUTING -s IPofrdpserver -j SNAT --to IPofispint /sbin/iptables -t nat –A PREROUTING -i ispint -p tcp --dports rdp -j DNAT --to rdpserver |
First of all I think you don't need a nat on your box if it is already made on a external router for internet traffic (for local traffic you don't need nat at all), and it depends if it is a static nat or it uses a nat pool so the ports are all changed during network address translation. With static nat it is possible for you to see rdp server from the internet otherwise forget it beacouse the requests that come on tcp 3389 during nat translation changes and they do not come to your server on that port.
If you are using a static (one ip to one ip nat), than 1)you need to open tcp port 3389 for incoming traffic on your connection to ISP, same on outgoing connection to Internal LAN tcp port 3389 <----- just for requests from the clients to the server, 2)you need to open ports larger than 1024 for incoming traffic from Internal LAN connection same on outgoing traffic with your ISP connection ports larger than 1024 <----- to make possible server respond to the client request. P.S. Ports larger than 1024 are not reserved for any application so they will be used from your server to respond. |
All times are GMT -5. The time now is 10:26 PM. |