[CentOS] A little iptables help

Wed Sep 28 17:28:08 UTC 2005
James Pifer <jep at obrien-pifer.com>

On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote:
> Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:
> 
> > Humm, that should be relatively simple:
> >
> > iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
> 
> You probably want to use INPUT chain of filter table for this:
> 
> iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
> 
> If INPUT chain of filter table has default policy set to DROP, putting 
> an ACCEPT
> target into PREROUTING chain of nat table isn't going to let the packet go
> through the firewall.

Alright, I figured I would try a simple proof of concept with this.
Without setting any policies to drop, meaning all the chains are wide
open (all ACCEPT) I wanted to try and do VNC through the port forward. 

So I started with this:
#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



Ran this:
iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4
-j ACCEPT



Ended up with this:
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.192.24         10.10.60.4 tcp dpt:5900

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now shouldn't I be able to run the VNC client from my machine
192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it
forward the VNC request to 10.10.60.4?

Yes, communication does work between 192.168.192 and 10.10.60 subnets. 

Thanks,
James