topic iptables rule for remote desktop in Operating System - Linux

iptables rule for remote desktop

Donny Jekels — Sun, 17 Sep 2006 08:34:26 GMT

short description of my network:

dmzhost: 2 interfaces
eth1 -> internet (static IP)
eth0 -> inside lan

with no firewall rules in place I run putty session and port forward my local port 13888 to my desktop at work port 3389

i think the command line version would be

ssh -L 13888:myoffcepc:3389 dmzhost

anyway:

I looked at many iptables rules and examples and just cannot get the remote desktop rules to work.

any advice would eb greatly appreciated

Donny

Re: iptables rule for remote desktop

Stuart Browne — Sun, 17 Sep 2006 18:05:05 GMT

Well, assuming your firewall lets the SSH session through, everything should be fine.

I use the same sort of thing myself to get into both my home and office machines.

If it isn't working, then you need to look at your PC's firewall, to ensure that 3389 is allowed in from your DMZ interface. As it's using SSH port forwarding, the IP of your non-office machine is irrelevant to your office machine.

So, assuming the SSH connects, the rest should be ok.

What sort of errors are you getting, and what sort of remote desktop protocol are you using? (don't recognize 3389).

Re: iptables rule for remote desktop

Matti_Kurkela — Mon, 18 Sep 2006 03:07:49 GMT

Port 3389 sounds like Windows Remote Desktop (RDP) to me.

If I understand this correctly, your dmzhost is at home, and you're trying to access your office PC which has a globally-reachable IP address. Right?

First, is your dmzhost configured as a router or as a bridge? Both are possible, although the first is more likely. Can you browse Web from a computer in your inside LAN? Do you have a NAT set up between internet and your inside LAN?

If you have no NAT and you're using global IP addresses in your inside LAN, you should not need any iptables rules: it should Just Work.

If you have a NAT, it should work too, although there might be complications about host names: the connection comes from your inside LAN, but the officePC sees it as coming from the dmzhost. What kind of error messages are you getting?

You need special iptables rules only if you're coming from outside a NAT and wanting to go inside. In this case, they would be DNAT-type rules in PREROUTING chain.

The command to create the rule would be something like:
iptables -t nat -A PREROUTING -i -p tcp --dport -j DNAT --to-destination <3389>

Re: iptables rule for remote desktop

timmy2006 — Wed, 08 Nov 2006 01:19:23 GMT

tcpdump is your friend.
for testing purposes leave only your testing networks in iptables\ipfw rules and comment restrictions by ports.
i mean
ipfw=iptables
$ipfw -s your_net -j allow
or smth like that.
when u got stable working tunnel - apply other rules.