Port forwarding

phatboyz · 11-21-2005, 08:53 AM

I have no clue as to what iptables command to run so I need some help. I am connecting to my network though a VPN client. I need to have my Cent OS4 box forward a connection. The reason for this is my mail server is here and then to login to my As400 I have to shutdown the VPN and bring it back up on a different site. I was wondering if I could just connect to my local work and have my computer inside route me accross the VPN. The trick is I have to connect on one port and forward to another.

Server address aab.bbb.ccd.12 Port 24 to be forwarded to aab.bbc.dcc.99 Port 23.

Can someone help me do this?

Que_273 · 11-21-2005, 12:04 PM

You need an entry like this in your "nat" table
iptables -t nat -A PREROUTING -p tcp -m tcp -s aaa.bbb.ccc.ddd --dport 24 -j DNAT --to-destination uuu.vvv.www.xxx:23

I used this to allow me to ssh into a firewalled computer with one command (instead on logging into one and then into the other)
The only problem is that because my ssh program sees the same ip address being used but with different RSA keys it wants me to check. I probably could get them to use the same key but that might not be good. It might not be a problem for you though.

phatboyz · 11-21-2005, 03:18 PM

Here is what I came up with. Its not passing the connection at all. I don't even see the rule listed.
iptables -t nat -A PREROUTING -p tcp -m tcp -s 10.0.2.22 --dport 24 -j DNAT --to-destination 192.1.1.1:23

iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h
ttp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h
ttps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:f
tp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s
sh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s
mtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:l
mtp
REJECT all -- anywhere anywhere reject-with icmp-ho
st-prohibited

Que_273 · 11-21-2005, 03:21 PM

iptables --list (also iptables -L) will list only the filter table
to see the nat table use iptables -t nat --list (or iptables -t nat -L)

phatboyz · 11-21-2005, 03:36 PM

Does this look Right?

[root@gridgenotes12 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 10.0.2.22 anywhere tcp dpt:449 to:192.1.1.1:449
DNAT tcp -- 10.0.2.22 anywhere tcp dpt:8476 to:192.1.1.1:8476
DNAT tcp -- 10.0.2.22 anywhere tcp dpt:8470 to:192.1.1.1:8470
DNAT tcp -- 10.0.2.22 anywhere tcp dpt:lmtp to:192.1.1.1:23

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination