LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-22-2008, 01:00 PM   #1
emmendes
LQ Newbie
 
Registered: Nov 2008
Posts: 5

Rep: Reputation: 0
an example on iptables with redirect


Hello

Unfortunately my linux server crashed a few days ago after an electricity shortage. The crash caused some bad blocks on a partition and after recovering most of my sh files I realized that the firewall script was gone without a trace. I found a backup but it wasn't updated enough so I lost all the rules regarding redirection.

It has been years since I last modified the file (I couldn't guess that the bad block would hit exactly the area where the firewall script was - I deserve it, I know!).

Ok. I need right now to get the box up by issuing the rules again.

Here is the configuration: two nics cards. One (eth0) with a public ip address that connects to the world. The second one (eth1) is 192.168.1.1 All other machines take ips from a dhcp server starting with 192.168.1.X

I need to connect 192.168.0.7 port 22 to eth0:43022.

The old copy of firewall allows all internal boxes to connect the internet.

Sorry for such a simple question (probably it has been answered several times but I couldn't find exactly what I want in the web - Perhaps the reason is my frustation and dispair!).

Many many thanks

Ed
 
Old 11-22-2008, 02:57 PM   #2
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
something like...
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22
 
Old 11-22-2008, 03:42 PM   #3
emmendes
LQ Newbie
 
Registered: Nov 2008
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rayfordj View Post
something like...
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22
I remember that there was a second line. Could it something like the following?

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to
192.168.0.7 --dport 22
iptables -A FORWARD -p tcp --dport 43022 -j ACCEPT

Is the --dport 22 on the first line ok?

many thanks

Ed
 
Old 11-22-2008, 06:50 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by emmendes View Post
I remember that there was a second line. Could it something like the following?

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to
192.168.0.7 --dport 22
iptables -A FORWARD -p tcp --dport 43022 -j ACCEPT

Is the --dport 22 on the first line ok?

many thanks

Ed
No, you'd need to specify the new port by just putting it next to the IP, like:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22
As for the second line, replace it with something like:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 43022 -m state --state NEW -j ACCEPT
Notice how the traffic direction was specified by use of the interface matches.
 
Old 11-24-2008, 08:23 AM   #5
emmendes
LQ Newbie
 
Registered: Nov 2008
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
No, you'd need to specify the new port by just putting it next to the IP, like:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 43022 -j DNAT --to 192.168.0.7:22
As for the second line, replace it with something like:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 43022 -m state --state NEW -j ACCEPT
Notice how the traffic direction was specified by use of the interface matches.

The first line doesn't work with iptables 1.2.9

unknown arg '--to'

Many thanks

Ed
 
Old 11-24-2008, 09:09 AM   #6
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
Quote:
Originally Posted by emmendes View Post
unknown arg '--to'
try --to-destination
Code:
--to-destination
if that does not work, check out the man page or docs for your specific version ;-)
 
Old 11-25-2008, 05:31 PM   #7
emmendes
LQ Newbie
 
Registered: Nov 2008
Posts: 5

Original Poster
Rep: Reputation: 0
I tried to find some docs for that version but to no avail.

man is no longer available on the machine.

Many thanks

Ed
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables to redirect ip genderbender Linux - Networking 1 04-06-2008 02:53 AM
iptables redirect sanjibgupta Linux - Networking 3 05-18-2007 04:16 AM
iptables redirect _ben_deb_ Linux - Networking 7 11-13-2004 06:06 AM
iptables redirect slack Linux - Networking 0 06-17-2002 05:04 AM
iptables redirect bhartnett Linux - Networking 1 09-26-2001 10:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration