[CentOS] A little iptables help

Wed Sep 28 17:46:05 UTC 2005
Kirk Bocek <t004 at kbocek.com>

This need to happen in the nat table:

iptables -t nat -A PREROUTING -p tcp -d 10.10.60.3 --dport 5900 -j DNAT 
--to-destination 10.10.60.4:5900

Make sure 10.10.60.4 is using 10.10.60.3 as it's router for this traffic.

Kirk

James Pifer wrote:
> On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote:
> 
>>Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:
>>
>>
>>>Humm, that should be relatively simple:
>>>
>>>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
>>
>>You probably want to use INPUT chain of filter table for this:
>>
>>iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
>>
>>If INPUT chain of filter table has default policy set to DROP, putting 
>>an ACCEPT
>>target into PREROUTING chain of nat table isn't going to let the packet go
>>through the firewall.
> 
> 
> Alright, I figured I would try a simple proof of concept with this.
> Without setting any policies to drop, meaning all the chains are wide
> open (all ACCEPT) I wanted to try and do VNC through the port forward. 
> 
> So I started with this:
> #iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> 
> Ran this:
> iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4
> -j ACCEPT
> 
> 
> 
> Ended up with this:
> iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:http
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  192.168.192.24         10.10.60.4 tcp dpt:5900
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Now shouldn't I be able to run the VNC client from my machine
> 192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it
> forward the VNC request to 10.10.60.4?
> 
> Yes, communication does work between 192.168.192 and 10.10.60 subnets. 
> 
> Thanks,
> James
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos