HPE Community
Operating System - Linux
1827838 Members
1673 Online
109969 Solutions
New Discussion

Re: IPtables rule

 
SOLVED
Go to solution
Tom Ward_1
Honored Contributor

‎12-04-2005 03:19 PM

‎12-04-2005 03:19 PM

IPtables rule

Hello,

I know what I want, but I don't know how to format it for iptables. I've been going in circles for hours, so hopefully someone can help me with this.

I want to allow external connnections through my router so that I can connect from a specific remote IP to an internal box via ssh. From the remote system I want to ssh to a high number port such as 9876 and have the router send that to an internal box, 192.168.1.20, on port 22.

I've found rules to open up ssh and forward to an internal box, but I want to be selective about which external IPs can connect and I want them coming in on a high port.

I hope that's clear.

Regards,
Tom
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎12-04-2005 08:22 PM

‎12-04-2005 08:22 PM

Solution

Re: IPtables rule

Shalom Tom,

Examples....

-A FORWARD -d 192.168.0.131 -i eth0 -p 47 -j ACCEPT
-A FORWARD -d 192.168.0.131 -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -d 192.168.0.131 -i eth0 -p 47 -j ACCEPT

forward destination -d port 47 to internal IP address 192.168.0.131 everything from eth0

What you can do is use the -s command with the -i to control the interface

-A FORWARD -d 192.168.0.131 -i eth0 -s 24.123.3.108 -p 47

That's generally what you want so long as your sources have fixed ip addresses.

Change the port and -s source to meet your actual needs.

Post any error messages my code generates.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
ger donohue_1
Advisor

‎12-05-2005 11:26 AM

‎12-05-2005 11:26 AM

Re: IPtables rule

You will also need a nat table rule as well as forwarding rules previously mentioned.

-t nat -A PRETROUTING -i -p tcp -s --destination-port 9876 -j DNAT --to-destination 192.168.1.20:22

-A FORWARD -p tcp -i --destination-port 22 --destination 192.168.1.20 -j ACCEPT

-A FORWARD -s 192.168.1.20 -j ACCEPT

-t nat -A POSTROUTING -p tcp -s 192.168.1.20 -o -j SNAT --to-source

if external addr is dynamically assigned
-t nat -A POSTROUTING -p tcp -s 192.168.1.20 -o ppp0 -j MASQUERADE


You can harden or soften these as applies by specifing the source ports in the POSTROUTING chains.
Reply
Bill Thorsteinson
Honored Contributor

‎12-06-2005 04:00 AM

‎12-06-2005 04:00 AM

Re: IPtables rule

Consider installing Shorewall.
It will build the NAT rules and opent the
port for you.
0 Kudos
Reply
Tom Ward_1
Honored Contributor

‎12-08-2005 02:23 AM

‎12-08-2005 02:23 AM

Re: IPtables rule

Thank you for the replies.

I've got one part working -- the subnet restrictions. I haven't worked out the port shifting bit yet.

I'm using floppy firwall. Here's the rules that I have so far.
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -s 999.999.999.0/24 -j DNAT --to ${SERVER_IP}:22
iptables -A FORWARD -p tcp -s 999.999.999.0/24 -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT
They're just a slight modification of the sample rule given.

I plan to check out bering-uClib. It has shorewall and looks like it's actively maintained.

As a side note I was checking ebay for another 486 like mine to use as test and there aren't many of them for sale anymore. Too bad they work well for routers.

Thanks and Happy Holidays,
Tom
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.