[CentOS] A little iptables help

James Pifer jep at obrien-pifer.com
Wed Sep 28 17:28:08 UTC 2005


On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote:
> Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:
> 
> > Humm, that should be relatively simple:
> >
> > iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
> 
> You probably want to use INPUT chain of filter table for this:
> 
> iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
> 
> If INPUT chain of filter table has default policy set to DROP, putting 
> an ACCEPT
> target into PREROUTING chain of nat table isn't going to let the packet go
> through the firewall.

Alright, I figured I would try a simple proof of concept with this.
Without setting any policies to drop, meaning all the chains are wide
open (all ACCEPT) I wanted to try and do VNC through the port forward. 

So I started with this:
#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



Ran this:
iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4
-j ACCEPT



Ended up with this:
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.192.24         10.10.60.4 tcp dpt:5900

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now shouldn't I be able to run the VNC client from my machine
192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it
forward the VNC request to 10.10.60.4?

Yes, communication does work between 192.168.192 and 10.10.60 subnets. 

Thanks,
James




More information about the CentOS mailing list