iptables - port redirection - VNC

GK guskasus at yahoo.com.ar
Thu Jun 24 15:06:12 UTC 2004 

Hi, I am newbie in iptables. I must be do something bad. Are there a
expert in iptables? Sure!
I need do port redirection from outside (internet) to inside (one
especific PC). But the packets from Internet to my public IP (port 5900)
are DROPed.
I need access via VNC from Internet to LAN inside and another ports
(8080). These are a few lines from my script to configure iptables.

Somebody can help me, please? 
Does anyone have any ideas?
Thanks in advance,

GusKa.

---------------------

# eth0 local interface to Internet.
# eth1 local interface to private LAN.
# ppp0 

#PRIVATE= private LAN
#EXTINT= Outside interface
#INTINT= Inside Interface
#EXTPPP= Outside public Interface 
#PUBLICIP= My Public IP
                                                                                                                             
PRIVATE=192.168.10.0/24
EXTINT=eth0
INTINT=eth1
EXTPPP=ppp0
PUBLICIP=201.254.205.12
LOOP=127.0.0.1

$IPTABLES -P OUTPUT  ACCEPT
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP
                                                                                                                             
# NAT to Outside.
$IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT
--to $PUBLICIP
                                                                                                                             
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# VNC to PC inside (private LAN)
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT
--to 192.168.10.79:5900
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# HTTP 8080 to server inside httpd
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT
--to 192.168.10.80:80
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# www, dns, smtp are open
$IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A INPUT -p udp --dport domain -j ACCEPT
                                                                                                                            
# Masquerading rule
$IPTABLES -A INPUT  -s $PRIVATE  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -s $PRIVATE  -m state --state NEW  -j ACCEPT
$IPTABLES -A FORWARD  -s $PRIVATE  -m state --state NEW  -j ACCEPT
                                                                                                                             
# All in loopack
$IPTABLES -A INPUT  -i lo  -j ACCEPT
$IPTABLES -A OUTPUT  -o lo  -j ACCEPT
                                                                                                                             
# All in private LAN
$IPTABLES -A INPUT -i $INTINT -j ACCEPT
$IPTABLES -A FORWARD -i $INTINT -j ACCEPT

$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD  -j DROP
                                                                                                                             
                                                                                                                             
echo 1 > /proc/sys/net/ipv4/ip_forward

More information about the redhat-list mailing list