[CentOS] A little iptables help
Kirk Bocek
t004 at kbocek.com
Wed Sep 28 17:46:05 UTC 2005
This need to happen in the nat table:
iptables -t nat -A PREROUTING -p tcp -d 10.10.60.3 --dport 5900 -j DNAT
--to-destination 10.10.60.4:5900
Make sure 10.10.60.4 is using 10.10.60.3 as it's router for this traffic.
Kirk
James Pifer wrote:
> On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote:
>
>>Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:
>>
>>
>>>Humm, that should be relatively simple:
>>>
>>>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
>>
>>You probably want to use INPUT chain of filter table for this:
>>
>>iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
>>
>>If INPUT chain of filter table has default policy set to DROP, putting
>>an ACCEPT
>>target into PREROUTING chain of nat table isn't going to let the packet go
>>through the firewall.
>
>
> Alright, I figured I would try a simple proof of concept with this.
> Without setting any policies to drop, meaning all the chains are wide
> open (all ACCEPT) I wanted to try and do VNC through the port forward.
>
> So I started with this:
> #iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
>
> Ran this:
> iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4
> -j ACCEPT
>
>
>
> Ended up with this:
> iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:http
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- 192.168.192.24 10.10.60.4 tcp dpt:5900
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Now shouldn't I be able to run the VNC client from my machine
> 192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it
> forward the VNC request to 10.10.60.4?
>
> Yes, communication does work between 192.168.192 and 10.10.60 subnets.
>
> Thanks,
> James
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list