LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Terminal Services Port Forwarding (https://www.linuxquestions.org/questions/linux-networking-3/terminal-services-port-forwarding-62221/)

rich2oo1 05-28-2003 01:51 AM
Terminal Services Port Forwarding
 
i am trying to forward port 3389 from my linux machine (ip 10.30.10.201) to my winxp machine (ip 10.30.10.200) and was wondering if someone could assist me in doing so. i've tried everything i can find but it just wont work. any help would be greatly appreciated. basically what im wanting to do is accept all incoming connections on port 3389 and forward them to my winxp machine.

Stats on the Linux Box:

Redhat 9.0
Kernel 2.4.20
network card is eth0

Robert0380 05-28-2003 03:10 AM
i use iptables to do any forwarding:

example:

must do this, and u must do it everytime u reboot:

echo 1 > /proc/sys/net/ipv4/ip_forward - it turns on forwarding

iptables -A PREROUTING -p tcp --dport 3389 -j DNAT -to 10.30.10.200:3389
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT

the 1st rule changes the destination of packets comming from anywhere going to port 3389 to the 10.30.10.200 machine, the second rule allows packets to be forwarded if they are bound for port 3389. If you need the same for udp you can do the rules twice but I think the second rule may not be needed if the default policy for the FORWARD chain is ACCEPT. But it will help if later you decide to get strict with your firewall rules and not allow any forwarding that you didnt explicity setup yourself. Also you may want to put the iptables stuff in file (shell script if you will) and then put a call to the script in your rc.local so that everytime the machine boots, the rules get set without having to type them over each time.

rich2oo1 05-28-2003 11:25 AM
Still no luck. i do a port scan using nmap and port 3389 isn't open on my machine.

dorian33 05-28-2003 01:08 PM
I think the correct form is:
iptables -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 10.30.10.200:3389
and the phrase ':3389' can be omitted

rich2oo1 05-31-2003 12:57 PM
i got it to work, here's what commands i used:

iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 10.30.10.200:3389

iptables -t nat -A POSTROUTING -p tcp --dport 3389 -j SNAT --to-source 10.30.10.201:3389

iptables -A FORWARD -d 10.30.10.200 -i eth0 -o eth0 -p tcp --dport 3389 -m state --state INVALID,NEW,RELATED,ESTABLISHED -j ACCEPT


please let me know if there is another way to achieve this using less lines

gupi 06-01-2003 03:13 AM
Use Shorewall
 
Hi there!

I am using shorewall on my Win2K's lan router, and I do need to let some outsiders access the TS server.

So, using shorewall as firewalling server, the rule is very simple (after you'll read the docs, you'll understand more :):

- one rule to accept incoming [3389] packets from the outsider (in this case, the outsider is 1.2.3.4) to the firewall (fw)
- one rule to DNAT all incoming packets to the TS (192.168.1.3)

Quote:

ACTION | SOURCE | DEST | PROTO | DEST PORT | SOURCE PORT | ORIGINAL DEST

ACCEPT | net:1.2.3.4 | fw | tcp | 3389 |
DNAT | net:1.2.3.4 | loc:192.168.1.3:3389 | tcp | 3389
In addition, you will get a very good firewalling tool, with a lot of options.

rich2oo1 06-01-2003 09:32 AM
-


All times are GMT -5. The time now is 01:09 AM.