iptables - port redirection - VNC
Nathaniel Hall
halln at otc.edu
Thu Jun 24 15:17:50 UTC 2004
Just by scanning over it pretty quickly, this is what I would do.
$IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 5900 -j DNAT
--to-destination 192.168.10.79:5900
$IPTABLES -A FORWARD -d 192.168.10.79 -p tcp -m tcp --dport 5900 -j ACCEPT
$IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.10.80:80
$IPTABLES -A FORWARD -d 192.168.10.80 -p tcp -m tcp --dport 80 -j ACCEPT
~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel Hall
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
417-799-0552
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of GK
Sent: Thursday, June 24, 2004 10:06 AM
To: redhat-list at redhat.com
Subject: iptables - port redirection - VNC
Hi, I am newbie in iptables. I must be do something bad. Are there a
expert in iptables? Sure!
I need do port redirection from outside (internet) to inside (one
especific PC). But the packets from Internet to my public IP (port 5900)
are DROPed.
I need access via VNC from Internet to LAN inside and another ports
(8080). These are a few lines from my script to configure iptables.
Somebody can help me, please?
Does anyone have any ideas?
Thanks in advance,
GusKa.
---------------------
# eth0 local interface to Internet.
# eth1 local interface to private LAN.
# ppp0
#PRIVATE= private LAN
#EXTINT= Outside interface
#INTINT= Inside Interface
#EXTPPP= Outside public Interface
#PUBLICIP= My Public IP
PRIVATE=192.168.10.0/24
EXTINT=eth0
INTINT=eth1
EXTPPP=ppp0
PUBLICIP=201.254.205.12
LOOP=127.0.0.1
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
# NAT to Outside.
$IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT
--to $PUBLICIP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# VNC to PC inside (private LAN)
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT
--to 192.168.10.79:5900
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# HTTP 8080 to server inside httpd
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT
--to 192.168.10.80:80
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# www, dns, smtp are open
$IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A INPUT -p udp --dport domain -j ACCEPT
# Masquerading rule
$IPTABLES -A INPUT -s $PRIVATE -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s $PRIVATE -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s $PRIVATE -m state --state NEW -j ACCEPT
# All in loopack
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# All in private LAN
$IPTABLES -A INPUT -i $INTINT -j ACCEPT
$IPTABLES -A FORWARD -i $INTINT -j ACCEPT
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list