On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote:
Quoting Rodrigo Barbosa rodrigob@suespammers.org:
Humm, that should be relatively simple:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
You probably want to use INPUT chain of filter table for this:
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
If INPUT chain of filter table has default policy set to DROP, putting an ACCEPT target into PREROUTING chain of nat table isn't going to let the packet go through the firewall.
Alright, I figured I would try a simple proof of concept with this. Without setting any policies to drop, meaning all the chains are wide open (all ACCEPT) I wanted to try and do VNC through the port forward.
So I started with this: #iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Ran this: iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4 -j ACCEPT
Ended up with this: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.192.24 10.10.60.4 tcp dpt:5900
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Now shouldn't I be able to run the VNC client from my machine 192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it forward the VNC request to 10.10.60.4?
Yes, communication does work between 192.168.192 and 10.10.60 subnets.
Thanks, James