Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
> IPTABLES Port Forwarding Help!
bubble1975
post May 29 2008, 12:32 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 29-May 08
Member No.: 13,493



Hi All,

I'm having trouble setting up port forwarding on a linux host I have... Basically I have 2 machines. One has a public and a private IP address, the other just has a private address:


Machine 1:
public IP: 120.1.1.10
private IP: 10.1.1.50

Machine 2:
private IP: 10.1.1.133

I want to ssh to port 2222 on machine 1, on the public IP, and have it forward to port 22 on machine 2 on the private network. This is my current IP tables file on machine 1:


# Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:7948]
-A FORWARD -d 10.1.3.133 -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p all -j ACCEPT
-A INPUT -i eth1 -p all -j ACCEPT
-A OUTPUT -o eth0 -p all -j ACCEPT
-A OUTPUT -o eth1 -p all -j ACCEPT
COMMIT
# Completed on Wed May 28 20:56:31 2008
# Generated by iptables-save v1.3.5 on Wed May 28 20:56:31 2008
*nat
:PREROUTING ACCEPT [451:32699]
:POSTROUTING ACCEPT [2:236]
:OUTPUT ACCEPT [2:236]
-A PREROUTING -d 120.1.1.10 -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.1.3.133:22
-A POSTROUTING -s 10.1.3.133 -o eth0 -j SNAT --to-source 120.1.1.10
COMMIT
# Completed on Wed May 28 20:56:31 2008

This just doesn't seem to work - can anyone see where I'm going wrong? I guess I want machine 2 to see connections coming from machine 1 to be coming from machine 1's private IP, but I'm not sure the 'source IP' is being re-written when it's being forwarded to machine 2... Not sure... Anyway, if anyone can see what's wrong here please let me know!!

Thanks so much,
bubble1975
Go to the top of the page
 
+Quote Post
 
Start new topic
Replies
michaelk
post May 31 2008, 09:03 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,800
Joined: 23-January 03
Member No.: 360



Just a general comment that it a good security practice to have use a drop policy and then only allow what you want.

Try:
iptables -t nat -A PREROUTING -p TCP -i ethx ---dport 2222 -j DNAT --to 10.1.1.133:22

Where ethx is your public ethernet connection.
Go to the top of the page
 
+Quote Post

Posts in this topic


Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 13th December 2017 - 07:22 PM