[TCLUG] redirect with iptables command

Sat Jun 19 14:53:01 CDT 2004

Well ... I appreciate all of the generous help and input.  What finally
worked is pasted below.

$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPT -A FORWARD -p tcp -j ACCEPT --dport 1025 -m state --state NEW
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 1025 -j DNAT --to
192.168.1.99:22

I think my problem (amongst the many) was  that they had created the new
named string "tcp_inbound" within my iptables (some script was used - i
forget which one).  I was screwing up which chains everything was getting
added to ... meaning i was adding to "tcp_inbound" improperly ... so i did
it the right way ... finally ... and it worked.

So ... I THINK the interpretation of what I have is

1) the FORWARD string has the check for port 1025, if so it jumps to string
ACCEPT
2) the FORWARD string also knows that anything in on eth1 can go to eth0
(outside to inside)
3) the last command says to take anything for port 1025 and send it to the
internal machine.

A lesson in frustration .. but also an education in iptables ... in keeping
it all straight.

Randy

----- Original Message ----- 
From: <josh at joshwelch.com>
To: "Randy Clarksean" <rclark at lakesplus.com>; "TCLUG Mailing List"
<tclug-list at mn-linux.org>
Sent: Friday, June 18, 2004 4:46 PM
Subject: Re: [TCLUG] redirect with iptables command

> Quoting Randy Clarksean <rclark at lakesplus.com>:
>
> <snip>
> > That did take care of the error for the iptables command .. but it still
> > does not make it through the firewall.  The packets still die ...
nothing
> > makes it to the internal machine.  I added the first command to just
open up
> > port 1025 from everywhere in the world ...hoping that it would help
> > (apparently it didn't)
> >
> > CURRENT COMMANDS:
> >
> > $IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 1025 -j ACCEPT
> > $IPT -A tcp_inbound -p udp -s 0/0 --destination-port 1025 -j ACCEPT
> > $IPT -t nat -A PREROUTING -p tcp -d 172.16.5.47 --dport 1025 -j DNAT \
> >  --to-destination 192.168.1.99:22
> >
> > LOG FILE MESSAGE
> >
> > Jun 17 12:25:49 server kernel: FORWARD packet died: IN=eth1 OUT=eth0
> > SRC=131.216
> > .114.113 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=24688 DF
> > PROTO=TCP SPT=42431 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
> >
> > COMMAND USED TO SSH
> >
> > ssh -p 1025 -l rclark 63.98.3.64
> >
> <snip>
>
> do you have something to the effect of -A FORWARD -i eth0 -o eth1 -j
tcp_inbound
> ?
>
> Josh
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> Help beta test TCLUG's potential new home: http://plone.mn-linux.org
> Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
> tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list