Find the answer to your Linux question:
Results 1 to 8 of 8
ive got an esxi guest im trying to access from another state however i am not able to establish the connection remotely (connection refused). on the internal lan there is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    4

    help on iptables port forwarding


    ive got an esxi guest im trying to access from another state however i am not able to establish the connection remotely (connection refused). on the internal lan there is no problem connecting


    eth0 = internet (external ip) foo.com
    eth1 = internal lan = 192.168.0.50

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning
    ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:902
    ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:903
    ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:902
    ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:903


    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere anywhere tcp dpt:902 to:192.168.0.99:902
    DNAT tcp -- anywhere anywhere tcp dpt:903 to:192.168.0.99:903


    i am using the following rules to create the above:
    iptables -A FORWARD -i eth1 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
    iptables -A FORWARD -i eth1 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT
    iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 902 -j DNAT --to 192.168.0.99:902
    iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 903 -j DNAT --to 192.168.0.99:903

    any assistance is greatly appreciated

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Try the following

    Code:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 902 -j DNAT --to-destination 192.168.0.99
    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 903 -j DNAT --to-destination 192.168.0.99
    iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jul 2009
    Posts
    4
    still didnt work but let me know if this is the problem. the commands used to set up ip masq for the lan:

    eth0 = external
    eth1 = internal


    echo " FWD: Allow all connections OUT and only existing and related ones IN"
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    $IPTABLES -A FORWARD -j LOG

    echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    # then i added what you recomended:

    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 902 -j DNAT --to-destination 192.168.0.99
    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 903 -j DNAT --to-destination 192.168.0.99
    iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 902 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.0.99 -p tcp --dport 903 -j ACCEPT

    so im wondering if the beginning rules for the forward chain are causing the problem. I can ssh into foo.com from anywhere no problem tho, just cant get the requests to port 902/3 to 0.99. no other IDS is running, hosts.deny is enpty

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, if you can log into foo.com form anywhere I would then question if you have a service listing on port 902/3. What program is listing on these ports?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jul 2009
    Posts
    4
    i should clarify that when i ssh to foo.com its hitting foo.com directly, sshd runs locally (192.168.0.50) on that machine on port 900, 901 is an ftp server. 902 and 903 which are for the esxi server on 192.168.0.99 are not listed as open, so im assuming not being routed to 192.168.0.99

    if i port scan foo.com from foo.com i get:
    37/tcp open time
    53/tcp open domain
    113/tcp open auth
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    900/tcp open unknown
    901/tcp open samba-swat
    3128/tcp open squid-http
    6000/tcp open X11

    however, if i port scan from nmaps website i get:
    Not shown: 4883 closed ports, 110 filtered ports
    PORT STATE SERVICE
    37/tcp open time
    53/tcp open domain
    113/tcp open auth
    900/tcp open unknown
    901/tcp open samba-swat
    902/tcp open iss-realsecure
    3128/tcp open squid-http

    above is showing that 902 is in fact open and being routed from 192.168.0.50 to 192.168.0.99 where the esxi server lives.

    pertaining to service listings, are you referring to whats in my /etc/services file? if so there are no entries at all in there for 902 and 903.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Goto the server that has processes listing on 902/3 and run the following and then post.

    Code:
    netstat -a | grep 902
    netstat -a | grep 903

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Jul 2009
    Posts
    4
    the netstat command isnt available under esxi nor is it able to be installed/compiled

    they best i can do is run netstat from .0.50 (where i do have 3 connections to vortual machines on 0.99 on the lan)
    bash-3.1# netstat -a | grep 902
    tcp 0 0 192.168.0.50:40056 192.168.0.99:902 ESTABLISHED
    tcp 0 37 192.168.0.50:54864 192.168.0.99:902 ESTABLISHED
    tcp 0 37 192.168.0.50:46743 192.168.0.99:902 ESTABLISHED

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    This just shows the connections. I was looking for the process/program that was listing on the port

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •