On Sat, 04 Sep 2004 16:32:29 +1000
Clement <[EMAIL PROTECTED]> wrote:
> Tom Vier wrote:
>
> >> i've tried several times, using multiple different rules i've found from
> >> different sites, and i still can't get port forwarding working. does
> >> anyone
> >> have working rules they could send me? i'm trying to forward packets
> >> from my
> >> isp to port 2222 to an internal ip (i use nat) and port 22.
> >
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT
> --to-destination $INT_IP
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT
> --to-destination $INT_IP
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 22 -d $INT_IP -j
> SNAT --to-source $EXT_IP
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 2222 -d $INT_IP -j
> SNAT --to-source $EXT_IP
>
> define $INT_IP - internal ip to forward to, and
> define $EXT_IP - external ip on your outbound interface.
I'm not sure from your post which port is forwarded to where, but this is how it would
be done if port 2222 is being forwarded by your iptables to port 22.
You need DNAT
$IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IP \
-s 0/0 --sport 2222 --dport 22 -j DNAT \
--to-destination $INT_IP:22
And you need to define a forward rule. This is how I do it.
$IPTABLES -N fwtcpOK
$IPTABLES -A fwtcpOK -p TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A fwtcpOK -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level DEBUG --log-prefix "FW DROP TCP: "
$IPTABLES -A fwtcpOK -p TCP -j DROP
$IPTABLES -N fwtcpi
$IPTABLES -A fwtcpi -p TCP --dport 22 --sport 2222 -j fwtcpOK
$IPTABLES -A FORWARD -p TCP -i $EXT_INT \
-d $LOCALNET_1 -j fwtcpi
I know it looks complicated with the chains, but allows for flexibility.
Goodluck,
Craig Jackson
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
