Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] simple Port forwarding
- From: Andreas Baetz <andreas.baetz@xxxxxxxx>
- Date: Thu, 15 Nov 2001 09:42:30 +0100
- Message-id: <01111509423000.10856@pp1>
On Thursday 15 November 2001 00:58, spiekey wrote:
> Hello!
> I would like to forward my port 80 and 5000 and 5001.
> Why does it not work?
> I do not get an error or anything. Tha apache/vnc at the other side is
> running.
>
> iptables -F OUTPUT
> iptables -F INPUT
> iptables -F FORWARD
> iptables -t nat -F PREROUTING
>
>
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P POSTROUTING DROP
>
>
> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to
> 192.168.1.40 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j
> DNAT --to 192.168.1.40 #Make sure connections for VNC servers are accepted.
> iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
> iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
>
>
> iptables -t nat -A PREROUTING -d 212.185.31.98 -p tcp --destination-port
> 5900 -j DNAT --to 192.168.1.2 iptables -t nat -A PREROUTING -d
> 212.185.31.98 -p tcp --destination-port 5901 -j DNAT --to 192.168.1.2 #Make
> sure connections for VNC servers are accepted.
> iptables -t nat -A POSTROUTING -d 212.185.31.98 -p tcp --destination-port
> 5900 -j ACCEPT iptables -t nat -A POSTROUTING -d 212.185.31.98 -p tcp
> --destination-port 5901 -j ACCEPT
>
>
> #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to
> 192.168.1.40:80
>
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 20 -j DROP
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 21 -j DROP
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 22 -j DROP
>
> iptables -A INPUT -i ppp0 -p tcp --syn -j DROP
Do you have rules (POSTROUTING) for the answers from the servers ?
If not they probably are dropped (Policy DROP for POSTROUTING)
I'd suggest to have always one last rule for each chain which logs
packets that don't match any rule before.
Andreas Baetz
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been scanned
for the presence of computer viruses.
**********************************************************************
> Hello!
> I would like to forward my port 80 and 5000 and 5001.
> Why does it not work?
> I do not get an error or anything. Tha apache/vnc at the other side is
> running.
>
> iptables -F OUTPUT
> iptables -F INPUT
> iptables -F FORWARD
> iptables -t nat -F PREROUTING
>
>
> iptables -P OUTPUT ACCEPT
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P POSTROUTING DROP
>
>
> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to
> 192.168.1.40 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j
> DNAT --to 192.168.1.40 #Make sure connections for VNC servers are accepted.
> iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
> iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
>
>
> iptables -t nat -A PREROUTING -d 212.185.31.98 -p tcp --destination-port
> 5900 -j DNAT --to 192.168.1.2 iptables -t nat -A PREROUTING -d
> 212.185.31.98 -p tcp --destination-port 5901 -j DNAT --to 192.168.1.2 #Make
> sure connections for VNC servers are accepted.
> iptables -t nat -A POSTROUTING -d 212.185.31.98 -p tcp --destination-port
> 5900 -j ACCEPT iptables -t nat -A POSTROUTING -d 212.185.31.98 -p tcp
> --destination-port 5901 -j ACCEPT
>
>
> #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to
> 192.168.1.40:80
>
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 20 -j DROP
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 21 -j DROP
> #iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 22 -j DROP
>
> iptables -A INPUT -i ppp0 -p tcp --syn -j DROP
Do you have rules (POSTROUTING) for the answers from the servers ?
If not they probably are dropped (Policy DROP for POSTROUTING)
I'd suggest to have always one last rule for each chain which logs
packets that don't match any rule before.
Andreas Baetz
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been scanned
for the presence of computer viruses.
**********************************************************************
| < Previous | Next > |