LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPCHAINS port forwarding and IPTABLES port forwarding (https://www.linuxquestions.org/questions/linux-networking-3/ipchains-port-forwarding-and-iptables-port-forwarding-287491/)

ediestajr 02-07-2005 09:27 PM

IPCHAINS port forwarding and IPTABLES port forwarding
 
Sir/Ma'am,
Can u help me, I'm new in security admin. like this,
How do I setup port forwarding in ipchains and iptables.


source host : 192.168.1.59

server : eth0 => 192.168.1.10
eth1 => 192.168.2.1

Destination : 192.168.2.2

Thank you very much.

Jerre Cope 02-08-2005 01:04 AM

Take the easy way out. Either of these programs will help you build the ipchanges rules to make a good firewall

webmin or


shorewall

Shorewall is very well documented and easy to implement.

DavidPhillips 02-08-2005 01:08 AM

iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80


ipchains does not support forwarding ports, use ipmasqadm and portfw

ipmasqadm portfw -a -P ${PROTOCOL} -L ${LOCAL_IP_ADDR} ${PORT} -R ${DESTINATION_IP_ADDR} {PORT}

ipmasqadm portfw -a -P tcp -L 192.168.1.10 80 -R 192.168.2.2 80

ediestajr 02-10-2005 07:14 PM

/usr/sbin/ipmasqadm portfw -a -P tcp -L 192.168.1.10 22 -R 192.168.2.2 8888
portfw: setsockopt failed: Invalid argument


8888 = ssh port of 192.168.2.2

DavidPhillips 02-10-2005 07:32 PM

Do you have net filter? what kernel is this?

mcd 02-10-2005 07:35 PM

Quote:

iptables -t nat -A PREROUTING -p ${PROTOCOL} -i ${INTERFACE} -d ${LOCAL_IP_ADDR} --dport ${LOCAL_PORT} -j DNAT --to ${DESTINATION_IP_ADDR}:{DESTINATION_PORT}

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.2:80

this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?

ediestajr 02-10-2005 07:40 PM

Sir,
What is netfilter?
What other config do I have to modify?



Kernel :
Linux msme3 2.4.9-e.59smp #1 SMP Mon Jan 24 10:03:54 EST 2005 i686 unknown



Thank you thank you thank you very much for helping me out sir.

I'm from philippines sir, by the way I'm edgardo.

DavidPhillips 02-10-2005 11:25 PM

Quote:

this means that if 192.168.1.10 receives a tcp packet on port 80, it will forward it to 192.168.2.2 port 80, correct?
yes, if the traffic comes in on eth0. That will forward traffic to the address given. You can also change ports or just forward the port to another port on the same ip address.
So it depends on what you want to do.


Quote:

What is netfilter?
What other config do I have to modify?

Forget about ipchains and use iptables.

What exactly do you want to do? Redirect traffic to a certain port on one ip to another or forward a port to another port? Or Both?

DavidPhillips 02-10-2005 11:51 PM

Netfilter is iptables. Linux firewall

Here are some examples of netfilter port forwarding and some other parts of a firewall script. Please try to understand this before using it blindly. There are many documents on iptables.




#!/bin/sh
LAN1_IP_RANGE="192.168.0.0/24"
LAN1_IP="192.168.0.1/32"
LAN1_BCAST_ADRESS="192.168.0.255/32"

WLAN_IP_RANGE="192.168.1.0/24"
WLAN_IP="192.168.1.1/32"
WLAN_BCAST_ADRESS="192.168.1.255/32"
WLAN2_IP="10.1.0.0/24"
LOCALHOST_IP="127.0.0.1/32"

INET_IFACE="eth1"

LAN1_IFACE="eth0"
WLAN_IFACE="eth2"
DIALUP_IFACE="ppp+"

IPTABLES="/sbin/iptables"

INET_IFACE_IP="www.dcphillips.net"
DIALUP_IP="192.168.0.201"
GAME_HOST_IP="192.168.0.2" #firedragon

/sbin/depmod -a

/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Tables
$IPTABLES -N tcp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N nat
$IPTABLES -N wlan_packets

# IP Masquerade
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE


# Forward
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WLAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DIALUP_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT


# Squid transparent proxy
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A PREROUTING -t nat -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128


# Input
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i $LAN1_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WLAN_IFACE -j wlan_packets
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $LAN1_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DIALUP_IFACE -d $WLAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i lo -j ACCEPT


# Output
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WLAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DIALUP_IP -j ACCEPT


# Servers
# ssh
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT
# smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT
# www
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT
# https
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j ACCEPT
# mail
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j ACCEPT


# wlan vpn
$IPTABLES -A wlan_packets -p UDP -s 0/0 --dport 5000 -j ACCEPT
$IPTABLES -A wlan_packets -p ALL -j DROP

# icmp
$IPTABLES -A icmp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP


# Half-Life
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5273 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 7002 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27015 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27010 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27012 -j ACCEPT

# Nascar Heat
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2001:2025 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 2001:2025 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP


# Nascar 4
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 32766:32809 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 0/0 -p udp --destination-port 32766:32809 -i $INET_IFACE -j DNAT --to $GAME_HOST_IP


# MS Gaming Zone

# DirectX 7
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2300:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2300:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 47624 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 47624 -j ACCEPT

# DirectX 8
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 2302:2400 -j DNAT --to $GAME_HOST_IP:2300-2400
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 2302:2400 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 6073 -j DNAT --to $GAME_HOST_IP:47624
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 6073 -j ACCEPT


$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 6667 -j DNAT --to $GAME_HOST_IP:6667
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 6667 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p tcp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IFACE_IP --dport 28800:29000 -j DNAT --to $GAME_HOST_IP:28800-29000
$IPTABLES -A FORWARD -p udp -d $GAME_HOST_IP --dport 28800:29000 -j ACCEPT


# CLOSE INCOMING TCP
$IPTABLES -A tcp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j DROP

# CLOSE INCOMING UDP
$IPTABLES -A udpincoming_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -j DROP

# CLOSE FORWARD
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -j DROP

# LOG OTHER INPUT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

ediestajr 02-11-2005 12:40 AM

Sir,
I want a port forwarding.


If 192.168.1.10 received a port 22 it will be forward to 192.168.2.2 port 22.


How do I do that?

Thank you.

DavidPhillips 02-11-2005 05:32 AM

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 22 -j DNAT --to 192.168.2.2:22

ediestajr 02-11-2005 05:48 AM

It works sir,
sir can u explain to me one by one the ff:

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:22

sir, can I limit this by source address, example. I like to NAT only from 192.168.1.1.

sir sorry if I'm so very demanding, I like to learn iptables. sir and do you have sites for iptables tutorials 'basic 1st'

Sir,
Thank you 100x times. thank u thank u.

I hope you'll teach me a lot.

Sir,
How can I payback to your kindness?

ediestajr 02-11-2005 07:10 AM

How do I set this up as a permanent sir?

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:221

Ex. How do I insert this in /etc/sysconfig/iptables configuration?


Thank you.

DavidPhillips 02-11-2005 09:54 AM

Once you issue the command and any others you want then you can save the current iptables setup like this..

two ways with RedHat systems..


iptables-save > /etc/sysconfig/iptables

or this..

service iptables save

DavidPhillips 02-11-2005 10:01 AM

If you don't have RedHat let us know what you have

DavidPhillips 02-11-2005 10:02 AM

To specify a certain source ip use this..


iptables -t nat -A PREROUTING -p tcp -s 192.168.1.1/32 -d 192.168.1.2 --dport 22 -j DNAT --to 192.168.2.2:22

ediestajr 02-11-2005 06:39 PM

Sir,
Can u teach me how to work in DSL using iptables?

Can u give me an example sir ?

DavidPhillips 02-11-2005 09:49 PM

There is nothing special about iptables and DSL you just use your ip address, the ethernet interface that the DSL tunnels through or a combination of both. Think of it as an ethernet connection, there is no difference as far as the firewall is concerned.

If your talking about a connection problem to your server from outside then some ports may be blocked by your isp. If that's your problem then you can use alternative ports for anything except port 25 and 80. If your running a webserver or smtp server then these ports must be open through the isp or you need to have another system to use that the ports are open on.

Give a specific problem related to DSL if you have one.

ediestajr 02-11-2005 10:33 PM

Okay Sir,
Sir uhmmm, like this


I have two ISP's

server1 = 2 nics
1st nic = 1st ISP , ip address
2nd nic = local ip 192.168.2.1



server2 = 2 nics
1st nic = 2nd ISP, ip address
2nd nic = local ip 192.168.2.2

How do I share the internel connection of this servers '1 and 2' to the server under them 'server3, server4, server5 ...'


and sir what is the best DSL client software?


Thank you in advance... :-)


:Pengy: :Pengy:
:newbie:

DavidPhillips 02-11-2005 11:59 PM

The dsl connection is supported by the kernel. The connection is done with pppoe which is not much different than ppp except that it tunnels through an ethernet type of connection. ppp is point to point protocol and pppoe is point to point protocol over ethernet. Basically the login is done using the point to point protocol just like dialup. The RedHat rpm is called rp-pppoe..

http://rpmfind.net/linux/rpm2html/se...&system=&arch=

If these are servers then I would say the easiest thing to do is to route server3.com via dns to server1.com and server4.com to server2.com like that.

This way the redirects are done by one machine to the correct port on the other machine. Or you can have both server1.com and server2.com registered for server3.com and server4.com and then it would be the client connecting that will decide. You would need to register an A record for both server1 and server2 at myservers.com.

example..


dig yahoo.com

; <<>> DiG 9.2.2 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7864
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0

;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 234 IN A 66.94.234.13
yahoo.com. 234 IN A 216.109.112.135

;; AUTHORITY SECTION:
yahoo.com. 172791 IN NS ns5.yahoo.com.
yahoo.com. 172791 IN NS ns1.yahoo.com.
yahoo.com. 172791 IN NS ns2.yahoo.com.
yahoo.com. 172791 IN NS ns3.yahoo.com.
yahoo.com. 172791 IN NS ns4.yahoo.com.




Note two A records for yahoo.com. This means each ip will go to yahoo.com which in your case could be server1 and server2.

Note the NS records. It's actually left up to the connecting client to decide which one to use here for nameservice for yahoo.com.

The one that is connected to will decide or actually be configured to return an ip address for one or the other servers.



You can't really control dns and make it decide when to use a certain one unless you register your domains with your own dns server. If you setup your own dns server then you could have some control over the routing of dns, possibly making changes dynamically.


example..

dig @ns4.yahoo.com yahoo.com

; <<>> DiG 9.2.2 <<>> @ns4.yahoo.com yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4781
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 300 IN A 66.94.234.13
yahoo.com. 300 IN A 216.109.112.135

;; AUTHORITY SECTION:
yahoo.com. 172800 IN NS ns1.yahoo.com.
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns4.yahoo.com.
yahoo.com. 172800 IN NS ns5.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com. 172800 IN A 66.218.71.63
ns2.yahoo.com. 172800 IN A 66.163.169.170
ns3.yahoo.com. 172800 IN A 217.12.4.104
ns4.yahoo.com. 172800 IN A 63.250.206.138
ns5.yahoo.com. 172800 IN A 216.109.116.17

;; Query time: 634 msec
;; SERVER: 63.250.206.138#53(ns4.yahoo.com)
;; WHEN: Fri Feb 11 23:36:41 2005
;; MSG SIZE rcvd: 229


here I asked ns4.yahoo.com who yahoo.com is and got both ip addresses. If they wanted to they could have ns4.yahoo.com setup to only give one of the ip addresses.


Using iptables you could configure certain ip address ranges incoming traffic to go to one system or the other and also configure certain ethernet interfaces to go to one system or the other.

You could also use one machine for both isp's and have the same thing instead of using two machines. I guess your trying to balance the load but keep in mind the bandwidth and if it really takes two router boxes to handle it, which is what I would call the redirecting boxes. Even if they are servers they are acting as routers for the other servers.

ediestajr 02-12-2005 12:08 AM

Sir,
Can I give you my diagram 'my network setup', sir thank you for helping me always, Sir do you have yahoo messenger? can we chat?

DavidPhillips 02-12-2005 12:16 AM

I am shutting down for the night here as I will be up at 4:30 for work.

I'm not sure what else your trying to do. Try to explain from what I have posted here what you would like to do and I or someone else will try to give more specific details to help.

There are many ways to do something but you would need to define the goal you trying to reach. All of what I have posted is simple stuff but if needed there would be many more possible solutions. There is no limit to what can be done with routing. There is really just an unlimited amount of possibilities when it comes to routing and Linux.

ediestajr 02-12-2005 12:41 AM

Okay sir, thank you.

ediestajr 02-12-2005 06:43 AM

Sir,
I Can't forward my port 80 to 192.168.1.57:80



here's my setup



server : 2 nics .
eth0 IP : 192.168.1.10
eth1 IP : 192.168.2.1

NETWORKING=yes
HOSTNAME=msme3
GATEWAY=192.168.1.1
GATEWAYDEV=eth0


/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.10
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
FORWARD_IPV4=true
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=static
DEVICE=eth1
NETWORK=192.168.2.0
IPADDR=192.168.2.1
NETMASK=255.255.255.0
BROADCAST=192.168.2.255
GATEWAY=192.168.2.1
FORWARD_IPV4=true
ONBOOT=yes




client 2:
running apache port 80
eth0 ip : 192.168.2.2
NETWORKING=yes
HOSTNAME=smet
GATEWAY=192.168.2.1
GATEWAYDEV=eth0

/etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=static
DEVICE=eth0
ONBOOT=yes
NETWORK=192.168.2.0
IPADDR=192.168.2.2
NETMASK=255.255.255.0
BROADCAST=192.168.2.255
GATEWAY=192.168.1.10



client3:
running apache : port 80
eth0 ip : 192.168.1.57

/etc/sysconfig/network-
NETWORKING=yes
HOSTNAME=melanio
GATEWAY=192.168.1.10
GATEWAYDEV=eth0

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
NETWORK=192.168.1.0
IPADDR=192.168.1.57
NETMASK=255.255.255.0
BROADCAST=192.168.1.255
GATEWAY=192.168.1.10




# my syntx
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.1.57:80

I can't forward it sir to 192.168.1.57:80

What possibilities are the causes of the problem?

But when I useed this:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 80 -j DNAT --to 192.168.2.280
It works.

Sir,
Pleae help me.

DavidPhillips 02-12-2005 07:37 AM

Make sure there is only one redirect to port 80.

Check the server at 192.168.1.57 by using that address on the server or on the local network and see if it works, use 127.0.0.1 on that server to see if it works.

Check the firewall on both systems to be sure it's not blocked.

Keep in mind that the one that works is routed through eth1, the one that does not is routed through eth0 if they are different networks. Netmask 255.255.255.0 seperates eth0 and eth1 into two seperate networks.

Look at route -n and you'll see that 192.168.1.0 is a route and 192.168.2.0 is a route.


Check the path of the cable on eth0, somewhere along that network it could be blocked. The firewall settings for eth0 and eth1 may be different.

amitsharma_26 09-06-2006 10:03 AM

Go through this; its easy..
http://www.amitsharma.linuxbloggers....forwarding.htm

amitsharma.linuxbloggers.com/iptables_port_forwarding.htm

simon1663 01-14-2007 07:35 PM

iptables port forwarding not working..
 
Hi ,


I have the following iptables config. Linux server is used for gateway, squid, VPN extra. We want it to port forward 3389 to the windows server for terminal services. However, the port forwarding does not seem to work at all!

Here is the rule:
[0:0] -A PREROUTING -d 10.1.253.254 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.90.100:3389

Can anyone advise what may be going wrong??

Many thanks in advance


Quote:



# Generated by iptables-save v1.2.5 on Mon Jan 15 12:08:27 2007
*mangle
:PREROUTING ACCEPT [560501:405358384]
:INPUT ACCEPT [244307:183762299]
:FORWARD ACCEPT [315225:221446143]
:OUTPUT ACCEPT [271295:189882405]
:POSTROUTING ACCEPT [586615:411344438]
[0:0] -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
[0:0] -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
[0:0] -A OUTPUT -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
[0:0] -A OUTPUT -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
[107699:15808437] -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
[0:0] -A OUTPUT -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10
[0:0] -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
COMMIT
# Completed on Mon Jan 15 12:08:27 2007
# Generated by iptables-save v1.2.5 on Mon Jan 15 12:08:27 2007
*nat
:PREROUTING ACCEPT [12904:1265284]
:POSTROUTING ACCEPT [153:17097]
:OUTPUT ACCEPT [6783:436881]
:TransProxy - [0:0]
[3890:199220] -A PREROUTING -p tcp -m tcp --dport 80 -j TransProxy
[0:0] -A PREROUTING -d 10.1.253.254 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.90.100:3389
[0:0] -A PREROUTING -d 10.1.253.254 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.90.100:3389
[14989:909634] -A POSTROUTING -o eth1 -j MASQUERADE
[0:0] -A TransProxy -d 127.0.0.1 -j ACCEPT
[12:544] -A TransProxy -d 192.168.90.1 -j ACCEPT
[0:0] -A TransProxy -d 10.1.253.254 -j ACCEPT
[3878:198676] -A TransProxy -p tcp -j DNAT --to-destination 192.168.90.1:3128
COMMIT
# Completed on Mon Jan 15 12:08:27 2007
# Generated by iptables-save v1.2.5 on Mon Jan 15 12:08:27 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ForwardAllowLocals - [0:0]
:ForwardAllowLocals_601 - [0:0]
:InboundTCP - [0:0]
:InboundTCP_601 - [0:0]
:InputAllowLocals - [0:0]
:InputAllowLocals_601 - [0:0]
:denylog - [0:0]
:gre-in - [0:0]
:icmpIn - [0:0]
:icmpOut - [0:0]
:tcp_in_110 - [0:0]
:tcp_in_113 - [0:0]
:tcp_in_143 - [0:0]
:tcp_in_1723 - [0:0]
:tcp_in_21 - [0:0]
:tcp_in_22 - [0:0]
:tcp_in_23 - [0:0]
:tcp_in_25 - [0:0]
:tcp_in_389 - [0:0]
:tcp_in_443 - [0:0]
:tcp_in_5666 - [0:0]
:tcp_in_80 - [0:0]
[90:7044] -A INPUT -p icmp -j icmpIn
[4001:549925] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 224.0.0.0/240.0.0.0 -j DROP
[86:2408] -A INPUT -d 224.0.0.0/240.0.0.0 -j DROP
[230378:181983254] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[9750:1219564] -A INPUT -j InputAllowLocals
[3:192] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j InboundTCP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j denylog
[0:0] -A INPUT -p 47 -j gre-in
[0:0] -A INPUT -p 47 -j denylog
[100:32716] -A INPUT -j denylog
[315225:221446143] -A FORWARD -j ForwardAllowLocals
[0:0] -A FORWARD -j denylog
[64:7349] -A OUTPUT -p icmp -j icmpOut
[4001:549925] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -s 224.0.0.0/240.0.0.0 -j DROP
[0:0] -A OUTPUT -d 224.0.0.0/240.0.0.0 -j DROP
[267229:189325015] -A OUTPUT -j ACCEPT
[315225:221446143] -A ForwardAllowLocals -j ForwardAllowLocals_601
[152960:82680809] -A ForwardAllowLocals_601 -s 192.168.90.0/255.255.255.0 -j ACCEPT
[162265:138765334] -A ForwardAllowLocals_601 -d 192.168.90.0/255.255.255.0 -j ACCEPT
[3:192] -A InboundTCP -j InboundTCP_601
[0:0] -A InboundTCP -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j denylog
[0:0] -A InboundTCP_601 -d ! 10.1.253.254 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 113 -j tcp_in_113
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 113 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 21 -j tcp_in_21
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 21 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 80 -j tcp_in_80
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 80 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 443 -j tcp_in_443
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 443 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 143 -j tcp_in_143
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 143 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 389 -j tcp_in_389
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 389 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 5666 -j tcp_in_5666
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 5666 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 110 -j tcp_in_110
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 110 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 1723 -j tcp_in_1723
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 1723 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 25 -j tcp_in_25
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 25 -j denylog
[3:192] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 22 -j tcp_in_22
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 22 -j denylog
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 23 -j tcp_in_23
[0:0] -A InboundTCP_601 -i eth1 -p tcp -m tcp --dport 23 -j denylog
[9750:1219564] -A InputAllowLocals -j InputAllowLocals_601
[9647:1186656] -A InputAllowLocals_601 -s 192.168.90.0/255.255.255.0 -j ACCEPT
[100:32716] -A denylog -j DROP
[0:0] -A denylog -j DROP
[0:0] -A denylog -j DROP
[0:0] -A denylog -j DROP
[0:0] -A denylog -j DROP
[0:0] -A gre-in -d ! 10.1.253.254 -j denylog
[0:0] -A gre-in -j ACCEPT
[5:246] -A icmpIn -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A icmpIn -p icmp -m icmp --icmp-type 0 -j ACCEPT
[85:6798] -A icmpIn -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A icmpIn -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A icmpIn -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A icmpIn -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A icmpIn -j denylog
[0:0] -A icmpOut -p icmp -m icmp --icmp-type 8 -j ACCEPT
[5:246] -A icmpOut -p icmp -m icmp --icmp-type 0 -j ACCEPT
[59:7103] -A icmpOut -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A icmpOut -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A icmpOut -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A icmpOut -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A icmpOut -j denylog
[0:0] -A tcp_in_110 -j denylog
[0:0] -A tcp_in_110 -j denylog
[0:0] -A tcp_in_113 -j ACCEPT
[0:0] -A tcp_in_113 -j denylog
[0:0] -A tcp_in_143 -j denylog
[0:0] -A tcp_in_143 -j denylog
[0:0] -A tcp_in_1723 -j ACCEPT
[0:0] -A tcp_in_1723 -j denylog
[0:0] -A tcp_in_21 -j denylog
[0:0] -A tcp_in_21 -j denylog
[3:192] -A tcp_in_22 -j ACCEPT
[0:0] -A tcp_in_22 -j denylog
[0:0] -A tcp_in_23 -j ACCEPT
[0:0] -A tcp_in_23 -j denylog
[0:0] -A tcp_in_25 -j ACCEPT
[0:0] -A tcp_in_25 -j denylog
[0:0] -A tcp_in_389 -j denylog
[0:0] -A tcp_in_389 -j denylog
[0:0] -A tcp_in_443 -j ACCEPT
[0:0] -A tcp_in_443 -j denylog
[0:0] -A tcp_in_5666 -j ACCEPT
[0:0] -A tcp_in_5666 -j denylog
[0:0] -A tcp_in_80 -j ACCEPT
[0:0] -A tcp_in_80 -j denylog
COMMIT
# Completed on Mon Jan 15 12:08:27 2007



All times are GMT -5. The time now is 07:54 AM.