IPTABLES question

[chemist]

Hello,
I am new to IPTABLES and was hoping someone might be able to help me. I have a http server running on port 80. I use SSH from work to connect to the same pc that runs the web server, but due to firewall restrictions I can only use port 80. I want to create a rule so all traffic on port 80 from a specific IP address or range (my workplace) gets forwarded to port 22, but all other port 80 traffic to be routed normally.

Many thanks.

Chemist

[RobinVossen]

So you'd like portforwarding..
here:

Since I have been using 2.4 kernel, I use iptables for firewall and NAT. So these are the Iptable rules required for port forwarding xxx.xxx.xxx.xxx:8888 to 192.168.0.2:80 .

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
--dport 8888 -j DNAT --to 192.168.0.2:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

-> Hackorama

[chemist]

Hi mate,

Thanks for that, however it appears to not work. I use this script iptablesrocks.org - Deploying the firewall and after I enter this;

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 82.45.23.202 --dport 80 -j DNAT --to 192.168.1.68:22

/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.68 --dport 22 -j ACCEPT

this is the result of iptables -L

general pastebin - Someone - post number 799915

I am trying to get any port 80 traffic from 82.45.23.202 to go to port 22 of 192.168.1.68

any help will be welcome

Thanx

[RobinVossen]

Whats the result of iptables -L -t nat

[chemist]

Whats the result of iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 62-31-164-55.cable.ubr11.azte.blueyonder.co.uk tcp dpt:www to:192.168.1.68:22
DNAT tcp -- anywhere 193.34.231.236 tcp dpt:www to:192.168.1.68:22

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I changed the ip addresses.


Thanks

[RobinVossen]

You have make a tunnel when something comes from 193.34.231.236 on port 80 it will be redirrected to 192.168.1.68 port 22.
Knowing that it might help you with re-entering the command but right this time

[chemist]

Excuse my idiocy, but what do you mean by "re-entering the command but right this time"?

Thanx

[Lazydog]

Here is what you are looking for:

If the box you are trying to get to is behind the firewall box
[INTERNET]<-->[firewall]<-->[SSH Box]

Code:

iptables -t nat -A PREROUTING -p tcp -s <Work IP> --dport 80 -j DNAT --to-destination <serverIP>:22

If the box you are trying to ssh to is on the firewall box
[INTERNET]<-->[firewall/ssh box]

Code:

iptables -t nat -A PREROUTING -p tcp -s <WorkIP> --dport 80 -j REDIRECT --to-ports 22

The first rule tell iptable to change the ip address it is going to.
The second one tell iptables that it is to stay on the present box and doesn't need to be routed on.

[chemist]

Thanks a lot! That worked straight off I might be pushing my luck here but how would I achieve the same result from a range of IP's?


Regards, Chemist

[RobinVossen]

I guess its not the most Effective way but..
Id write a file that has a list of IPs in there.
Call it iplist.conf
then Id make a new script
that has:

Code:

iptables -t nat -A PREROUTING -p tcp -s $1 --dport 80 -j REDIRECT --to-ports 22

then ill give it

Code:

chmod +x

and call it addfirewall.sh
then I have to link those files together doing this:

Code:

   open (IP, "iplist.conf");

   while ($parseIP = IP) {
      `sh addfirewall.sh $parseIP`;
   }

   close(IP);

save that file as ExecuteMe.perl
do

Code:

chmod +x ExecuteMe.perl

then

Code:

perl ExecuteMe.perl

and It should be done

I hope that helped.

I know for sure LazyDog has a better way but still