Remote admin from dmz

satish · 11-28-2008, 12:20 AM

we had buyed one software for the trading and the server is in our office in local area network,the software developer seats in his office and needs our software server remote admin for the changes in software and some issues to solve by taking the remote admin.we had redhat 9 linux proxy server with static ip 59.144.124.51 and local ip is 192.168.1.2, i want the dmz rule like when the software engineer opens remote administrator and put the static ip in the remote administrator the request will go to our internal software server ip 192.168.1.54 and will ask for the password and open the desktop of our software server.

Please give me the iptables rules for this as you already help me for the remote desktop of our internal database server on dmz and the rules i am giving you below like you send me.

iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 -d192.168.1.249 --dport 3389 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp ! --syn -s 192.168.1.249 --sport 3389 --dport 1024:65535 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 59.144.124.51 --dport 3389 -j DNAT --to-destination 192.168.1.249

this rules opens our database server remote desktop and now i want remote admin desktop for our software server from the same static ip with dmz, also i want to ask a question that how wany remote admin and how many remote desktop i can open from the dmz with same static ip,can i put our 5 server remote desktop and remote admin on dmz with same static ip?

Linux Server details

eth0: 192.168.1.2
eth1: 59.144.124.51
local lan :192.168.1.0/255
software server ip : 192.168.1.54

Regards

satish

Disillusionist · 11-28-2008, 02:00 AM

The missing piece of the puzzle is what port does "remote administrator" use?

You have a working example, Remote Desktop (RDP) uses Port 3389

Code:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 -d192.168.1.54 --dport port_number -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp ! --syn -s 192.168.1.54 --sport port_number --dport 1024:65535 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 59.144.124.51 --dport port_number -j DNAT --to-destination 192.168.1.54

satish · 11-30-2008, 11:48 PM

Thanks for your suggestion and i can now view the remote admin of my software server from outside world.

Really great help

but you had not told me how many dmz i can view from the same static ip and same proxy server?

Regards

satish

Disillusionist · 12-01-2008, 12:12 AM

It depends on what access you need.

Each destination port number can be forwarded to 1 IP address.

Therefore port 80 (HTTP) could go to one machine.
Port 3389 (RDP) could go to another machine.
Port 25 (SMTP) to another

and so on, but you cant have port 3389 going to more than one machine from a single external IP address.