Hello all,

I just set up a Debian box with iptables. The box has two NIC's , eth0(192.168.0.102) for LAN and eth1(192.168.254.102) that is connected directly to my ADSL modem.

All firewalling etc is disabled on my modem.
After i installed linux/iptables the only commands that i used are these:

echo 1 > /proc/sys/net/ipv4/ip_forward

route add -net -n 192.168.0.0 netmask 255.255.255.0 dev eth0
route add -net -n 192.168.254.0 netmask 255.255.255.0 dev eth1
route add -net default gw 192.168.254.254

iptables --flush
iptables -t nat --flush
iptables --delete-chain
iptables -t nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

This way my Linux box can act as an Internet Gateway just fine. If i nmap my external ip from another network i can see all the open ports for services i use(as a web-server, mail-server etc.)

Now i just want to forward port 3389 to an internal win2k box in my LAN with the IP 192.168.0.100.

I searched the forums and used the usual commands i found, like:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.100:3389
iptables -A INPUT -p tcp -m state --state NEW --dport 3389 -i eth1 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --dport 3389 -i eth1 -j ACCEPT -d 192.168.0.100

but nothing seems to work.... any1 ever done this before?
can you please help me?

some more info that u might find usefull:

linux:/var/www# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:0E:EF:92:3E
inet addr:192.168.0.102 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:328094 errors:0 dropped:0 overruns:0 frame:0
TX packets:167629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31062497 (29.6 MiB) TX bytes:166857725 (159.1 MiB)
Interrupt:5 Base address:0x2080 Memory:f4110000-f4110038

eth1 Link encap:Ethernet HWaddr 00:50:BAE:E2:8A
inet addr:192.168.254.102 Bcast:192.168.254.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:181023 errors:0 dropped:0 overruns:0 frame:0
TX packets:145480 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:168253831 (160.4 MiB) TX bytes:16201206 (15.4 MiB)
Interrupt:10 Base address:0x2000



linux:/var/www# iptables -vnL
Chain INPUT (policy ACCEPT 4882 packets, 458K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 1588 packets, 1815K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3893 packets, 505K bytes)
pkts bytes target prot opt in out source destination


Any help at all would be greatly appreciated, thank you in advance.

Update:

As soon as i give these commandseth0-lan(192.168.0.102)) , eth1-wan(192.168.254.102))

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.100

iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

and i nmap my linux from an external network i get this:

Interesting ports on athedsl-xxxxxx.otenet.gr (xxx.xxx.xxx.xxx):
PORT STATE SERVICE
3389/tcp filtered ms-term-serv

Nmap finished: 1 IP address (1 host up) scanned in 1.053 seconds


Help me please? :-/

BUMP :-/ Help plz :-/

Nevermind.. i figured it out,i'll post solution here in case anyone else has/will have the same problem.

First of all make sure you have the following modules enabled:

linux:~# lsmod | grep nat; lsmod | grep con | grep -v ftp
ip_nat_ftp 2512 0 (unused)
iptable_nat 14758 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
ip_conntrack 17000 1 (autoclean) [ip_conntrack_ftp ip_nat_ftp ipt_state ipt_MASQUERADE iptable_nat]
ip_tables 10400 6 [ipt_state ipt_MASQUERADE iptable_nat iptable_filter]

If you miss some, just use:

modprobe <module_name> e.x. modprobe ip_nat_ftp


Then enable the IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then make sure u don't block/deny the connections in some different rules. Best way is to reset everything and start blocking and allowing from there, to flush all rules use:

iptables --flush
iptables -t nat --flush
iptables --delete-chain


Make sure to enable MASQ to your INTERNET interface(mine is eth1) so:

iptables -t nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

Then allow forwarding to your LAN Interface by:

iptables --append FORWARD --in-interface eth0 -j ACCEPT


Now the forwarding ruleseth1=internet , eth0=LAN, 192.168.0.100=Win2k box with TS enabled and of course Firewalling off)

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.0.100:3389

iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.0.100 --dport 3389 -m state --state NEW -j ACCEPT

iptables -A FORWARD -t filter -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

That's it.