iptables - port redirection - VNC
GK
guskasus at yahoo.com.ar
Thu Jun 24 15:06:12 UTC 2004
Hi, I am newbie in iptables. I must be do something bad. Are there a
expert in iptables? Sure!
I need do port redirection from outside (internet) to inside (one
especific PC). But the packets from Internet to my public IP (port 5900)
are DROPed.
I need access via VNC from Internet to LAN inside and another ports
(8080). These are a few lines from my script to configure iptables.
Somebody can help me, please?
Does anyone have any ideas?
Thanks in advance,
GusKa.
---------------------
# eth0 local interface to Internet.
# eth1 local interface to private LAN.
# ppp0
#PRIVATE= private LAN
#EXTINT= Outside interface
#INTINT= Inside Interface
#EXTPPP= Outside public Interface
#PUBLICIP= My Public IP
PRIVATE=192.168.10.0/24
EXTINT=eth0
INTINT=eth1
EXTPPP=ppp0
PUBLICIP=201.254.205.12
LOOP=127.0.0.1
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
# NAT to Outside.
$IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT
--to $PUBLICIP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# VNC to PC inside (private LAN)
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT
--to 192.168.10.79:5900
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# HTTP 8080 to server inside httpd
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT
--to 192.168.10.80:80
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# www, dns, smtp are open
$IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A INPUT -p udp --dport domain -j ACCEPT
# Masquerading rule
$IPTABLES -A INPUT -s $PRIVATE -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s $PRIVATE -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s $PRIVATE -m state --state NEW -j ACCEPT
# All in loopack
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# All in private LAN
$IPTABLES -A INPUT -i $INTINT -j ACCEPT
$IPTABLES -A FORWARD -i $INTINT -j ACCEPT
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
More information about the redhat-list
mailing list