HPE Community
Operating System - Linux
1820254 Members
2610 Online
109622 Solutions
New Discussion юеВ

iptables rule for remote desktop

 
Donny Jekels
Respected Contributor

тАО09-17-2006 01:34 AM

тАО09-17-2006 01:34 AM

iptables rule for remote desktop

short description of my network:

dmzhost: 2 interfaces
eth1 -> internet (static IP)
eth0 -> inside lan

with no firewall rules in place I run putty session and port forward my local port 13888 to my desktop at work port 3389

i think the command line version would be

ssh -L 13888:myoffcepc:3389 dmzhost

anyway:

I looked at many iptables rules and examples and just cannot get the remote desktop rules to work.

any advice would eb greatly appreciated

Donny
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
3 REPLIES 3
Stuart Browne
Honored Contributor

тАО09-17-2006 11:05 AM

тАО09-17-2006 11:05 AM

Re: iptables rule for remote desktop

Well, assuming your firewall lets the SSH session through, everything should be fine.

I use the same sort of thing myself to get into both my home and office machines.

If it isn't working, then you need to look at your PC's firewall, to ensure that 3389 is allowed in from your DMZ interface. As it's using SSH port forwarding, the IP of your non-office machine is irrelevant to your office machine.

So, assuming the SSH connects, the rest should be ok.

What sort of errors are you getting, and what sort of remote desktop protocol are you using? (don't recognize 3389).
One long-haired git at your service...
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО09-17-2006 08:07 PM

тАО09-17-2006 08:07 PM

Re: iptables rule for remote desktop

Port 3389 sounds like Windows Remote Desktop (RDP) to me.

If I understand this correctly, your dmzhost is at home, and you're trying to access your office PC which has a globally-reachable IP address. Right?

First, is your dmzhost configured as a router or as a bridge? Both are possible, although the first is more likely. Can you browse Web from a computer in your inside LAN? Do you have a NAT set up between internet and your inside LAN?

If you have no NAT and you're using global IP addresses in your inside LAN, you should not need any iptables rules: it should Just Work.

If you have a NAT, it should work too, although there might be complications about host names: the connection comes from your inside LAN, but the officePC sees it as coming from the dmzhost. What kind of error messages are you getting?

You need special iptables rules only if you're coming from outside a NAT and wanting to go inside. In this case, they would be DNAT-type rules in PREROUTING chain.

The command to create the rule would be something like:
iptables -t nat -A PREROUTING -i -p tcp --dport -j DNAT --to-destination <3389>
MK
0 Kudos
Reply
timmy2006
Advisor

тАО11-07-2006 05:19 PM

тАО11-07-2006 05:19 PM

Re: iptables rule for remote desktop

tcpdump is your friend.
for testing purposes leave only your testing networks in iptables\ipfw rules and comment restrictions by ports.
i mean
ipfw=iptables
$ipfw -s your_net -j allow
or smth like that.
when u got stable working tunnel - apply other rules.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.