-   Linux - Networking (
-   -   iptables (

MrUnix 02-08-2013 04:49 PM

I have the current configuration but can't get iptables working.

Computer A
eth0 -> WAN
eth1 -> LAN -> Computer B & Computer C

Computer A (eth1), Computer B and Computer C are on 192.168.*.* IPs and B & C are running VNC servers on 5900 (Windows).

I want to forward and redirect ports 5900 from B & C to ports accessible from the WAN on Computer A?

Any suggestions on the correct iptables syntax? IPv4 port forwarding is enabled.

jnielsen7 02-08-2013 05:20 PM

Will the traffic be directed to/from your WAN machine through a gateway server? If so, before you make an iptables rule, you could test network connectivity and what ports are involved by using an ssh tunnel to port-forward the traffic from the remote port 5900 to your local machine (Computer A) at some arbitrary local port through the gateway server (you will need a login to that server however).

If you can open up a putty or other ssh terminal on the destination machine you can type:

ssh -L LocalPort:RemoteHostIP:RemoteHostPort username@GatewayHost -N
Like: ssh -L 10000: myuser@gateway -N

This will forward traffic from through the gateway to your local machine's port 10000. Perhaps this is not applicable for you though. I often have to deal with jumping through a gateway, hence this is useful for me.

jnielsen7 02-08-2013 05:22 PM

Wait, are you just wanting to know the right sytax or did you need to know what kind of rule to add (what ports to allow traffic on and such)? If the former then my suggestion obviously will not help. Sorry if I misunderstood.

MrUnix 02-08-2013 05:24 PM

I understand I can forward VNC via SSH. I would prefer if Computer A had two ports redirect (eth0) (via iptables) to the VNC servers on the LAN (eth1) from Computers B & C.

jnielsen7 02-08-2013 05:39 PM


Originally Posted by MrUnix (Post 4887329)
I understand I can forward VNC via SSH. I would prefer if Computer A had two ports redirect (eth0) (via iptables) to the VNC servers on the LAN (eth1) from Computers B & C.

Ah I think understand now, you need to take the traffic it receives on one ethernet interface and expose it on the other (which is on a different network?). If this was web traffic this would be a piece of cake (use a reverse proxy) but I'm afraid I've never done anything like this for non-web traffic. Hopefully someone who has done that can make a suggestion. Sorry if I wasted your time (the ssh tunnel was my best idea at the time).

P.S. I assume you've looked at the documentation online for the REDIRECT iptables directive? Maybe this is relevant:

MrUnix 02-08-2013 05:48 PM

I basically need an example of how to do this with iptables.

I don't think the separate NICs are a problem because the routing is setup to direct 192.168.*.* traffic to eth1.

All of the commands I tried didn't work so I'm asking if anyone with experience with this can help.

jschiwal 02-08-2013 08:14 PM

Have a look at the example just before section 7.4.1.

You will need two rules, one for port 5900, and another for another port such as 5901. So using 5900 connects to host B and 5901 connects to host B.

I assumed you have 1 Internet address and masquerade LAN addresses in Host A's iptable rules.

All times are GMT -5. The time now is 08:35 PM.