Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
Hello, I am new to IPTABLES and was hoping someone might be able to help me. I have a http server running on port 80. I use SSH from work ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2007
    Posts
    6

    IPTABLES question


    Hello,
    I am new to IPTABLES and was hoping someone might be able to help me. I have a http server running on port 80. I use SSH from work to connect to the same pc that runs the web server, but due to firewall restrictions I can only use port 80. I want to create a rule so all traffic on port 80 from a specific IP address or range (my workplace) gets forwarded to port 22, but all other port 80 traffic to be routed normally.

    Many thanks.

    Chemist

  2. #2
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    So you'd like portforwarding..
    here:

    Since I have been using 2.4 kernel, I use iptables for firewall and NAT. So these are the Iptable rules required for port forwarding xxx.xxx.xxx.xxx:8888 to 192.168.0.2:80 .

    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
    --dport 8888 -j DNAT --to 192.168.0.2:80
    /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
    -> Hackorama
    New Users, please read this..
    Google first, then ask..

  3. #3
    Just Joined!
    Join Date
    Nov 2007
    Posts
    6
    Hi mate,

    Thanks for that, however it appears to not work. I use this script iptablesrocks.org - Deploying the firewall and after I enter this;

    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 82.45.23.202 --dport 80 -j DNAT --to 192.168.1.68:22

    /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.68 --dport 22 -j ACCEPT

    this is the result of iptables -L

    general pastebin - Someone - post number 799915

    I am trying to get any port 80 traffic from 82.45.23.202 to go to port 22 of 192.168.1.68

    any help will be welcome

    Thanx

  4. #4
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    Whats the result of iptables -L -t nat
    New Users, please read this..
    Google first, then ask..

  5. #5
    Just Joined!
    Join Date
    Nov 2007
    Posts
    6
    Quote Originally Posted by RobinVossen View Post
    Whats the result of iptables -L -t nat


    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere 62-31-164-55.cable.ubr11.azte.blueyonder.co.uk tcp dpt:www to:192.168.1.68:22
    DNAT tcp -- anywhere 193.34.231.236 tcp dpt:www to:192.168.1.68:22

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination


    I changed the ip addresses.


    Thanks

  6. #6
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    You have make a tunnel when something comes from 193.34.231.236 on port 80 it will be redirrected to 192.168.1.68 port 22.
    Knowing that it might help you with re-entering the command but right this time
    New Users, please read this..
    Google first, then ask..

  7. #7
    Just Joined!
    Join Date
    Nov 2007
    Posts
    6
    Excuse my idiocy, but what do you mean by "re-entering the command but right this time"?

    Thanx

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Here is what you are looking for:

    If the box you are trying to get to is behind the firewall box
    [INTERNET]<-->[firewall]<-->[SSH Box]
    Code:
    iptables -t nat -A PREROUTING -p tcp -s <Work IP> --dport 80 -j DNAT --to-destination <serverIP>:22
    If the box you are trying to ssh to is on the firewall box
    [INTERNET]<-->[firewall/ssh box]
    Code:
    iptables -t nat -A PREROUTING -p tcp -s <WorkIP> --dport 80 -j REDIRECT --to-ports 22
    The first rule tell iptable to change the ip address it is going to.
    The second one tell iptables that it is to stay on the present box and doesn't need to be routed on.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #9
    Just Joined!
    Join Date
    Nov 2007
    Posts
    6
    Thanks a lot! That worked straight off I might be pushing my luck here but how would I achieve the same result from a range of IP's?


    Regards, Chemist

  10. #10
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    I guess its not the most Effective way but..
    Id write a file that has a list of IPs in there.
    Call it iplist.conf
    then Id make a new script
    that has:
    Code:
    iptables -t nat -A PREROUTING -p tcp -s $1 --dport 80 -j REDIRECT --to-ports 22
    then ill give it
    Code:
    chmod +x
    and call it addfirewall.sh
    then I have to link those files together doing this:
    Code:
       open (IP, "iplist.conf");
    
       while ($parseIP = IP) {
          `sh addfirewall.sh $parseIP`;
       }
    
       close(IP);
    save that file as ExecuteMe.perl
    do
    Code:
    chmod +x ExecuteMe.perl
    then
    Code:
    perl ExecuteMe.perl
    and It should be done

    I hope that helped.

    I know for sure LazyDog has a better way but still
    New Users, please read this..
    Google first, then ask..

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •