Port Forwarding

Steven Buehler steve at ibushost.com
Thu Dec 20 03:12:44 UTC 2007 

That did it for the most part.  I can do it with port 80.  Haven't tried all
of the different ones yet.  What I am really trying to do is to get a
forwarding rule that will allow me to port forward to a windows "Remote
Desktop".  Hince the port 3389.  The following gives me an error.
"Remote Desktop Disconnected
Because of a protocol error, this session will be disconnected.  Please try
connecting to the remote computer again."

iptables -A PREROUTING -t nat -p udp -m udp --dport 3389 -j DNAT
--to-destination 209.209.209.209:3389
iptables -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth0 -p udp -m udp --dport 3389 -j ACCEPT

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Troy Amburg
> Sent: Wednesday, December 19, 2007 5:54 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Port Forwarding
> 
> I just did this a couple days ago, so this is from my shell history.
> This is on the gateway host, running rhel 5 that sits on a private
> and public network. The default gateway on all the private network
> hosts, points to this host.
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
>   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>   iptables -A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
>   iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>   service iptables save
> 
> On Dec 19, 2007, at 3:42 PM, Steven Buehler wrote:
> 
> >
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> bounces at redhat.com] On Behalf Of Steven Buehler
> >> Sent: Wednesday, December 19, 2007 1:13 PM
> >> To: 'General Red Hat Linux discussion list'
> >> Subject: RE: Port Forwarding
> >>
> >>> On Dec 19, 2007, at 9:43 AM, Steven Buehler wrote:
> >>>
> >>>>> -----Original Message-----
> >>>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >>>>> bounces at redhat.com] On Behalf Of Troy Amburg
> >>>>> Sent: Wednesday, December 19, 2007 11:34 AM
> >>>>> To: General Red Hat Linux discussion list
> >>>>> Subject: Re: Port Forwarding
> >>>>>
> >>>>> Do you have a traceroute from Machine1 to Machine2? Also, is the
> >>>>> default route set correctly on Machine1?
> >>>>>
> >>>>> On Dec 19, 2007, at 9:07 AM, Steven Buehler wrote:
> >>>>>
> >>>>>> I am trying to do port forwarding and I just can't seem to get
> it
> >>>>>> to work.
> >>>>>> I hope that someone can help.
> >>>>>>
> >>>>>> Machine 1 is running RHEL AS 4.4 with the 2.6.9-42.0.2.ELsmp
> >>> kernel.
> >>>>>> iptables has been running as my firewall since I set it up.
> >>>>>>
> >>>>>> I am trying to get anything that comes in to port 3389 on
> >> "Machine
> >>>>>> 1" to go
> >>>>>> to "Machine2" at a different location.  Lets say for this that
> >> the
> >>>>>> IP of
> >>>>>> "Machine1" is 70.70.70.70 and the remote machine ("Machine 2")
> >> that
> >>>>>> I want
> >>>>>> to forward to is 209.209.209.209.  I am assuming that I don't
> >> have
> >>>>>> to do
> >>>>>> anything on "Machine2" except make sure the firewall for that
> >> port
> >>>>>> is opened
> >>>>>> to "Machine 1".
> >>>>>>
> >>>>>> I have done the following on "Machine 1":
> >>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
> >>>>>>
> >>>>>> Here is my /etc/sysconfig/iptables file from "Machine 1".  This
> >> is
> >>>>>> not the
> >>>>>> one that I would normally use because it is to open, but am for
> >>>>>> testing.
> >>>>>> ####################
> >>>>>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> >>>>>> *nat
> >>>>>> :PREROUTING ACCEPT [3:536]
> >>>>>> :POSTROUTING ACCEPT [9:635]
> >>>>>> :OUTPUT ACCEPT [8:583]
> >>>>>> -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-
> destination
> >>>>>> 209.209.209.209:80
> >>>>>> COMMIT
> >>>>>> # Completed on Wed Dec 19 10:50:11 2007
> >>>>>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> >>>>>> *mangle
> >>>>>> :PREROUTING ACCEPT [318:24902]
> >>>>>> :INPUT ACCEPT [312:24214]
> >>>>>> :FORWARD ACCEPT [3:152]
> >>>>>> :OUTPUT ACCEPT [276:32613]
> >>>>>> :POSTROUTING ACCEPT [279:32765]
> >>>>>> COMMIT
> >>>>>> # Completed on Wed Dec 19 10:50:11 2007
> >>>>>> # Generated by iptables-save v1.2.11 on Wed Dec 19 10:50:11 2007
> >>>>>> *filter
> >>>>>> :INPUT ACCEPT [0:0]
> >>>>>> :FORWARD ACCEPT [0:0]
> >>>>>> :OUTPUT ACCEPT [276:32613]
> >>>>>> :RH-Firewall-1-INPUT - [0:0]
> >>>>>> -A INPUT -j RH-Firewall-1-INPUT
> >>>>>> -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> >>>>>> -A FORWARD -j RH-Firewall-1-INPUT
> >>>>>> -A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-
> >> level
> >>> 7
> >>>>>> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> >>>>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> >>>>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> >>>>>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353
> >> -j
> >>>>>> ACCEPT
> >>>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> >>>>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
> >>>>>> ACCEPT
> >>>>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-
> >> prohibited
> >>>>>> COMMIT
> >>>>>> # Completed on Wed Dec 19 10:50:11 2007
> >>>>>> ####################
> >>>>>>
> >>>>>> Thanks
> >>>>>> Steve
> >>>>>>
> >>>>
> >>>> A traceroute shows no problems.  Goes to the remote machine just
> >>>> fine.  I
> >>>> can also access the port on the remote machine with no problems.
> >>>>
> >>>> [root at mymachine]# route -n
> >>>> Kernel IP routing table
> >>>> Destination     Gateway         Genmask         Flags Metric Ref
> >>>> Use
> >>>> Iface
> >>>> 70.70.70.0     0.0.0.0         255.255.255.0   U     0
> >>>> 0        0 eth0
> >>>> 169.254.0.0     0.0.0.0         255.255.0.0     U     0
> >>>> 0        0 eth0
> >>>> 0.0.0.0         70.70.70.175   0.0.0.0         UG    0
> >>>> 0        0 eth0
> >>>>
> >>>>
> >>> -----Original Message-----
> >>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >>> bounces at redhat.com] On Behalf Of Troy Amburg
> >>> Sent: Wednesday, December 19, 2007 11:49 AM
> >>> To: General Red Hat Linux discussion list
> >>> Subject: Re: Port Forwarding
> >>>
> >>> So you can traceroute from Machine1 to Machine2 without any
> problem,
> >>> and you can telnet to the port in question, from Machine1 to
> >>> Machine2? If that's the case, I guess I don't understand what's not
> >>> working.
> >>>
> >>
> >> 	Correct.  I have tried setting up port forwarding on several
> >> servers
> >> this way and have never been able to get it to work.  Some of the
> >> machines
> >> are RHEL 4.x and some are 5.x.  Selinux is not running on any of the
> >> machines and I can go from Machine1 to the port I want on Machine2
> >> with
> >> no
> >> problem.  I only have a problem when it comes to forwarding the
> >> ports.
> >> 	All installations and upgrades are done using up2date/yum so they
> >> are stock rpms.  I have searched the internet before resorting to
> >> this
> >> list
> >> and always come up with the same answers, run:
> >> echo 1 > /proc/sys/net/ipv4/ip_forward (which was set to 0
> orginally)
> >> iptables -A PREROUTING -t nat -p tcp -m tcp --dport 3389 -j DNAT
> >> --to-destination 209.209.209.209:80
> >> iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
> >> iptables -A RH-Firewall-1-INPUT -s myip here -j ACCEPT
> >>
> >> Steve
> >
> > There has to be something simple that I am missing here.  I have 16
> > servers
> > and I tried setting up port forwarding on all of them with no
> > luck.  Simply
> > running the above 3 lines on each one.  On the remote machines, I
> > would even
> > stop the firewalls altogether so that I was sure that it wasn't
> > blocking
> > anything.  3 of the servers are in Kansas, 8 of the servers are in
> > a Data
> > Center in Missouri and 5 of the servers are in a Data Center in
> > Virginia.  I
> > have 2 Ethernet ports on each system, but don't use eth1 on all but
> > 3 of
> > them.  So I never set up these rules to use a second Ethernet
> > port.  Do I
> > need to use 2 ports?  The systems range from Rehat Linux 7.3 to RH
> >
> > Steve
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list