iptables - port redirection - VNC

Nathaniel Hall halln at otc.edu
Thu Jun 24 15:17:50 UTC 2004


Just by scanning over it pretty quickly, this is what I would do.

$IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 5900 -j DNAT
--to-destination 192.168.10.79:5900
$IPTABLES -A FORWARD -d 192.168.10.79 -p tcp -m tcp --dport 5900 -j ACCEPT
$IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.10.80:80
$IPTABLES -A FORWARD -d 192.168.10.80 -p tcp -m tcp --dport 80 -j ACCEPT


~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel Hall
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
417-799-0552


-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of GK
Sent: Thursday, June 24, 2004 10:06 AM
To: redhat-list at redhat.com
Subject: iptables - port redirection - VNC

Hi, I am newbie in iptables. I must be do something bad. Are there a
expert in iptables? Sure!
I need do port redirection from outside (internet) to inside (one
especific PC). But the packets from Internet to my public IP (port 5900)
are DROPed.
I need access via VNC from Internet to LAN inside and another ports
(8080). These are a few lines from my script to configure iptables.

Somebody can help me, please? 
Does anyone have any ideas?
Thanks in advance,

GusKa.

---------------------

# eth0 local interface to Internet.
# eth1 local interface to private LAN.
# ppp0 

#PRIVATE= private LAN
#EXTINT= Outside interface
#INTINT= Inside Interface
#EXTPPP= Outside public Interface 
#PUBLICIP= My Public IP
 

PRIVATE=192.168.10.0/24
EXTINT=eth0
INTINT=eth1
EXTPPP=ppp0
PUBLICIP=201.254.205.12
LOOP=127.0.0.1

$IPTABLES -P OUTPUT  ACCEPT
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP
 

# NAT to Outside.
$IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT
--to $PUBLICIP
 

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# VNC to PC inside (private LAN)
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT
--to 192.168.10.79:5900
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# HTTP 8080 to server inside httpd
$IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT
--to 192.168.10.80:80
$IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# www, dns, smtp are open
$IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A INPUT -p udp --dport domain -j ACCEPT
 

# Masquerading rule
$IPTABLES -A INPUT  -s $PRIVATE  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -s $PRIVATE  -m state --state NEW  -j ACCEPT
$IPTABLES -A FORWARD  -s $PRIVATE  -m state --state NEW  -j ACCEPT
 

# All in loopack
$IPTABLES -A INPUT  -i lo  -j ACCEPT
$IPTABLES -A OUTPUT  -o lo  -j ACCEPT
 

# All in private LAN
$IPTABLES -A INPUT -i $INTINT -j ACCEPT
$IPTABLES -A FORWARD -i $INTINT -j ACCEPT

$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD  -j DROP
 

 

echo 1 > /proc/sys/net/ipv4/ip_forward


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list






More information about the redhat-list mailing list