Firewall piercing

[asounds]

I hope this is the correct forum for this.

I just setup a Centos 4.3 server. Using iptables and Webmin, I have a working firewall. Now, I need to be able to access an internal (masq'd) Windows server via Remote Desktop. I had this working fine with IPChains on my old system, but can't figure it out with IPTables.

This is what I have (found example on 'net) and it is not working.

-A FORWARD -p udp -m udp -d 192.168.0.2 -i eth0 --dport 3389 --sport 3389 -j ACCEPT

Any suggestions/examples or sites. Been searching and have not found it yet, but still searching.

Thanks

 

[zeland]

You need to have NAT done first:

iptables -A PREROUTING -t nat -i eth0 -p udp -d [i][your_external_ip][/i] --dport 3389 -j DNAT --to-destination [i][your_internal_ip][/i]:3389

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[asounds]

Here is a copy of my iptables file. See if you can figure out what I have screwed up. I can also post the iptables status if you want. You'll notice that I am also trying to access SQL on an internal server. Actually, the SQL is more important than the Windows Remote Desktop, but figure if I get one, the other will work.

Thanks.

Obviously where I have '[external ip]' I really do have the real IP address.

*nat
REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to- [external ip]
-A PREROUTING -p udp -m udp -d [external ip] -i eth0 --dport 3389 -j DNAT --to-destination 192.168.0.2:3389
COMMIT
*mangle
REROUTING ACCEPT [55:7936]
:INPUT ACCEPT [52:7702]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:7702]
OSTROUTING ACCEPT [52:7702]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
-A INPUT -s 127.0.0.1/255.0.0.0 -i eth0 -j DROP
-A INPUT -p udp -m udp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,RST SYN -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -p udp -m udp -d 192.168.0.2 -i eth0 --dport 3389 --sport 3389 -j ACCEPT
-A FORWARD -p udp -m udp -s [external ip] -d 192.168.0.2 -i eth0 --dport 1433 --sport 1433 -j ACCEPT
-A FORWARD -p tcp -m tcp -d 192.168.0.2 -i eth0 --dport 3389 --sport 3389 -j ACCEPT
-A FORWARD -p tcp -m tcp -s [external ip] -d 192.168.0.2 -i eth0 --dport 1433 --sport 1433 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j LOG
-A INPUT -j LOG
COMMIT

 

[asounds]

Issue solved!

Thanks,