Help - Search - Members - Calendar
Full Version: Help With Iptables
Linuxhelp > Support > Technical Support
Hi all.. I need some help using IPTABLES for fowarding...

I am running redhat 9.0 as a gateway firewalling box and i would like to foward the Windows XP remote desktop port (3389) and VNC ports (580# & 590#) upstairs to my XP box...

Currently I tried the following... but it does not appear to be responding...

$IPTABLES -A PREROUTING -t nat -p tcp -d --dport 3389 -j DNAT --to

Im using masquerading NAT and not sure if i need a corresponding line to tell the packets how to get back out. I thought this should have been done automatically.

Can anyone confirm that this is the correct way to do it?

Thanks in advance

Wolfsta tongue.gif
If you want all traffic that comes to port 3389 from inside your firewall to be routed to, this will do it:

$IPTABLES -A PREROUTING -t nat -p tcp --dport 3389 -j DNAT --to

IF you only want traffic to a specific IP forwarded (for example only traffic to then you would use a -d .... or if you only want traffic from to be forwarded, the command would be: -s .... if you only want to forward traffic from the, add this to the line above: -s
Ok cool thanks hughesjr smile.gif

i actually want to forward traffic from the internet external of my firewall so that i can access my machine from work and polytech. Will that be exactly the same and dont specify an input... but do i need to open those ports on the firewall also... (the firewall is part of the same script that will do the fowarding).


Wolfsta tongue.gif
YES ... that is part of it .... but it needs to be changed (the example was internal only) .... which i will post (after a warning)!
I would NOT open Windows XP remote desktop port to the whole world .... in fact, I would not (and don't) even allow that service to run on my XP computer. On my cable modem's firewall, over the last 3 months, I average 12 port scans per week at port 3389 ... those scans are either someone who knows what they are doing looking for the XP Remote Desktop Port/windows terminal server or a virus/worm from an infected computer doing a scan ... either way, it IS extremely dangerous to open that port up if you want to keep outside people off your computer. See this graph of port 3389 scans from What these graphs represent are external scans or connection attempts to networks that report their info to ... which is not the majority of internet users. The blue line (read against the left (reports) axis shows is the number of computers where connections were attempted on that port (per day). For port 3389 it's 5000-6000 attempts per day.

The reports for the main vnc ports 5800 and 5900 are not routinely as high as 3389, but you can see they are also well scanned (300-600 times per day).

If you can, limit the incoming connection as coming from a specific P's (if you have static IP addresses {or a NAT gateway} at work and polytech) ... or at least restrict the connections to the entire networks of those two locations .

OK ... the warning is over biggrin.gif
Here is how you would port forward from the external ethernet card (assuming eth1 is the external interface and eth0 is the internal interface on your gateway ... if not, adjust accordingly) ... all rules are one long line (in case they wrap):

EXTERNAL_IPADDR = #add your external address

$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTERNAL_INTERFACE -d $EXTERNAL_IPADDR --dport 3389 -j DNAT --to-destination

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTERNAL_INTERFACE -d $EXTERNAL_IPADDR --dport 3389 -j DNAT --to-destination

$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTERNAL_INTERFACE -d $EXTERNAL_IPADDR --dport 5800,5801,5802,5803,5804,5805,5806,5807,5808,5809 -j DNAT --to-destination

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTERNAL_INTERFACE -d $EXTERNAL_IPADDR --dport 5800,5801,5802,5803,5804,5805,5806,5807,5808,5809 -j DNAT --to-destination



$IPTABLES -A FORWARD -p tcp -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -d --dport 5800,5801,5802,5803,5804,5805,5806,5807,5808,5809 -j ACCEPT

$IPTABLES -A FORWARD -p udp -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -d --dport 5800,5801,5802,5803,5804,5805,5806,5807,5808,5809 -j ACCEPT
If you have a known IP (or ip range) you will be connecting from (say the IP at work is AAA.BBB.CCC.DDD, and polytech is class "c" network XXX.YYY.ZZZ.0/ then add a -s AAA.BBB.CCC.DDD into the PREROUTING lines ... they would then look like these (you would need two new rules for each one PREROUTING rule right now) examples:

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTERNAL_INTERFACE -s AAA.BBB.CCC.DDD -d $EXTERNAL_IPADDR --dport 3389 -j DNAT --to-destination

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTERNAL_INTERFACE -s XXX.YYY.ZZZ.0/ -d $EXTERNAL_IPADDR --dport 3389 -j DNAT --to-destination
Cheers... yes i am aware of the risk... i would not be leaving it open rather putting it in the script commented out and uncommenting when needed and rerunning the script remotely via SSH.

Thanks for that i havent yet tried but i will hopefully get time tonight.


Wolfsta biggrin.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.