LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 12-30-2007, 03:47 PM   #1
mhm
Member
 
Registered: Oct 2006
Distribution: RHEL, FC
Posts: 56

Rep: Reputation: 15
iptables with dnat


Hello all,

Once I had an IPcup firewall, really it was great. One of the things I did with, I could forward port 3389 (remote desktop) to more than one host (DNAT). For example, you can add 2 rules, each of them to source port 3389, but each of them redirect you to different host (different destination ip with different distnation port). If I want to connect to to any one of them from home through remote desktop just ->
(PUBLIC IP:destination port), the port is the the destination one.

My wondering is how to do that with iptables? how could I set rules to redirect to two different hosts,

At basic
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-source 192.168.1.10

How could I add another rule for another host?

Assuming two disserent ips, (public and private).

Regards
MHM
 
Old 12-30-2007, 08:45 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
If you have two different public IPs then just specify which public IP gets forwarded to which private IP. Like:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.34.74.34 --dport 3389 \
-j DNAT --to-destination 192.168.1.10

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 200.34.74.68 --dport 3389 \
-j DNAT --to-destination 192.168.1.20
If you only have one public IP then you can specify a different port for the external side. Like:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3310 \
-j DNAT --to-destination 192.168.1.10:3389

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3320 \
-j DNAT --to-destination 192.168.1.20:3389

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3330 \
-j DNAT --to-destination 192.168.1.30:3389
BTW, I'm moving this to Networking as it isn't asked in a security context.

Last edited by win32sux; 12-30-2007 at 08:54 PM.
 
Old 12-31-2007, 07:00 AM   #3
mhm
Member
 
Registered: Oct 2006
Distribution: RHEL, FC
Posts: 56

Original Poster
Rep: Reputation: 15
Hi,
Thanks win32sux for replying,

For the case one with 2 different external ips, its totally understood.

But for the second scenario, you put different destination ports for the connection to the external ip and none of them is 3389, 3389 ports are used for each internal ips we want to connect to. Now, how could we connect from outside? Is that like (public iport(3310 or 3320 or 3330)), How the server would distinguish that for the remote desktop tool if we connect to ports not 3389 ones and there is no 3389 in the rule for the public ip?

Regards
MHM
 
Old 12-31-2007, 07:10 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mhm View Post
Hi,
Thanks win32sux for replying,

For the case one with 2 different external ips, its totally understood.
Cool.

Quote:
But for the second scenario, you put different destination ports for the connection to the external ip and none of them is 3389, 3389 ports are used for each internal ips we want to connect to. Now, how could we connect from outside? Is that like (public iport(3310 or 3320 or 3330)), How the server would distinguish that for the remote desktop tool if we connect to ports not 3389 ones and there is no 3389 in the rule for the public ip?
Yes, depending on which port on the public IP you connect to, you will be forwarded to the appropriate box. The ports on the outside don't need to be the same as the ones on the inside.

Last edited by win32sux; 12-31-2007 at 07:12 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables DNAT ! Please help ! thomaspsimon Linux - Networking 18 08-27-2007 10:03 AM
iptables DNAT problem eantoranz Linux - Networking 2 09-12-2006 01:00 PM
iptables DNAT pshepperd Linux - Security 1 05-22-2004 03:56 PM
Iptables DNAT weirdness matta Linux - Networking 3 04-07-2004 03:11 AM
iptables DNAT bentz Linux - Networking 15 05-19-2003 01:17 PM


All times are GMT -5. The time now is 08:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration