Results 1 to 7 of 7
long story short, verizon wireless (ie, my droid x) blocks a lot of irc servers. I'm working around it by forwarding some ports on my home server to the servers ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-17-2011 #1Just Joined!
- Join Date
- Aug 2010
- Posts
- 31
iptables forward to different address:port
long story short, verizon wireless (ie, my droid x) blocks a lot of irc servers. I'm working around it by forwarding some ports on my home server to the servers I need to access.
I've been researching how to do this, but nothing seems to work. this is what I've got so far:
# grab IP address of server (works fine)
ircserver=`ping -c1 irc.oftc.net | grep 'bytes from' | sed 's/.*(\([0-9\.]*\)).*/\1/g'`
inport="6667"
outport="6667"
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport "$inport" -j DNAT --to "$ircserver:outport"
iptables -t nat -A PREROUTING -p udp -m udp --dport "$inport" -j DNAT --to "$ircserver:outport"
iptables -A FORWARD -d "$ircserver" -p tcp --dport "$outport" -j ACCEPT
iptables -A FORWARD -d "$ircserver" -p udp --dport "$outport" -j ACCEPT
- 02-18-2011 #2Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
How are you connecting to your server? How many network interfaces on this server?
- 02-18-2011 #3Just Joined!
- Join Date
- Aug 2010
- Posts
- 31
only one network interface card.
whether I'm on the machine itself or a client on the same local network.
The only firewall between the client and server is this iptables I'm configuring.
There is a firewall on a router separating this local network from the internet (but shouldn't come into play with the following tests).
machines involved
* server (on local network)
* client (on local network)
* remserver (on remote network)
on server, if I redirect port A to server's own port B (apache, ssh, anything)
connecting to real port on server from client works
connecting to forwarded port on server from client works
connecting to forwarded port on server from server fails (either with 127.0.0.1:fprt or 192.168.0.100:fprt)
connecting to real port on server from server works
if I redirect server port A to a remserver port B (ssh)
connecting to real port on remserver from client works
connecting to real port on remserver from server works
connecting to forwarded port on server from server fails
connecting to forwarded port on server from client fails
- 02-20-2011 #4Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
What are your complete iptables rules for the firewall?
Please use CODE tags instead of QUOTE tags.
- 02-20-2011 #5Just Joined!
- Join Date
- Aug 2010
- Posts
- 31
in this example, I'm forwarding my own server's port 4567 to narnia.intruded.net:10102 (an ssh wargame)
specific command for forwarding:Code:eocserver ~ # sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 eocserver ~ # iptables -L Firewall rules installed: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp any DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:9090 ACCEPT tcp -- anywhere intruded.net tcp dpt:10102 Chain OUTPUT (policy ACCEPT) target prot opt source destination
Code:iptables -t nat -A PREROUTING -p tcp -m tcp --dport 4567 -j DNAT --to 78.129.142.146:10102 iptables -A FORWARD -d 78.129.142.146 -p tcp --dport 10102 -j ACCEPT
- 02-20-2011 #6Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
I would prefer to read the command line file not the running output.
- 02-21-2011 #7Just Joined!
- Join Date
- Aug 2010
- Posts
- 31
I've created my own init script to set up iptables. whether I use that or manually enter all the commands as they should be, its the same effect.
the script reads in /etc/firewall and parses it into iptables commands.
here it is:
/etc/firewall
/etc/init.d/firewallCode:## usage: forward [tcp.udp,all] [inPort] [toAdd:toPort] [optionalSourceMatching] forward tcp 80 :9090 192.168.0.0/24 # port 80 web server for lan only forward tcp 4567 78.129.142.146:10102 ## usage: input [nameNoSpaces] [tcp,udp,all] [port1] [port2]... ## tcp/udp assumed if not specified input apache all 9090 9191
Code:#!/sbin/runscript # Copyright 1999-2010 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ depend() { before net } start() { setup_iptables } stop() { /etc/init.d/iptables stop } restart() { setup_iptables } function clear_iptables { iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Report what happened echo 'Firewall rules installed:' iptables -L } function open { pol="$1" shift 2 packet="tcp/udp" first="1" for port in "$@" ; do if [[ "$port:0:1" == "#" ]] ; then return; elif [[ "$port" == "tcp" ]] || [[ "$port" == "udp" ]] ; then packet="$port"; first="0" continue; elif [[ "$port" == "all" ]] || [[ "$port" == "tcp/udp" ]] || [[ "$port" == "udp/tcp" ]] ; then packet="tcp/udp" first="0" continue; elif [[ "$first" == "1" ]] ; then first="0" fi if [[ "$packet" == "tcp/udp" ]] ; then iptables -A "$pol" -p tcp -m tcp --dport "$port" -j ACCEPT iptables -A "$pol" -p udp -m udp --dport "$port" -j ACCEPT else iptables -A "$pol" -p "$packet" -m "$packet" --dport "$port" -j ACCEPT fi done } function forward { # forward [tcp,udp,tcp/udp,all] [in port] [forw add:port] [source add] sysctl net.ipv4.ip_forward=1 # input port iport="$2"; # source address if [[ "$4" != "" ]] ; then saddress=" --source $4"; fi # destination address # you can supply a domain name by adding ! to the beginning. (getip is an outside script) daddress=`echo "$3" | cut -d: -f 1` if [[ "${daddress:0:1}" == "!" ]] ; then daddress=`getip "${daddress:1}"` fi # destination port dport=`echo "$3" | cut -d: -f 2` if [[ "$dport" == "" ]]; then # make port the same as source port if not supplied dport="$2" fi if [[ "$dport" == "$3" ]]; then # when no : is supplied, cut will make port and address # the whole line supplied. we assume this is an address # as ports are always supplied with a leading : dport="$2" fi dport=":$dport" if [[ "$1" == "udp" ]] || [[ "$1" == "tcp/udp" ]] || [[ "$1" == "all" ]] ; then iptables -t nat -A PREROUTING -p udp -m udp --dport "$iport" $saddress -j DNAT --to "$daddress$dport" iptables -A FORWARD -d "$daddress" -p udp --dport "${dport:1}" -j ACCEPT fi if [[ "$1" == "tcp" ]] || [[ "$1" == "tcp/udp" ]] || [[ "$1" == "all" ]] ; then iptables -t nat -A PREROUTING -p tcp -m tcp --dport "$iport" $saddress -j DNAT --to "$daddress$dport" iptables -A FORWARD -d "$daddress" -p tcp --dport "${dport:1}" -j ACCEPT fi } function read_firewall { if ! [[ -e "/etc/firewall" ]] ; then return 1 fi while read line ; do if [[ "${line:0:5}" == "input" ]] ; then eval "open INPUT ${line:6}" elif [[ "${line:0:6}" == "output" ]] ; then eval "open OUTPUT ${line:7}" elif [[ "${line:0:7}" == "forward" ]] ; then eval "forward ${line:8}" fi done < /etc/firewall } function setup_iptables { /etc/init.d/iptables stop iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m icmp -j ACCEPT read_firewall iptables -A INPUT -j DROP #Report what happened echo 'Firewall rules installed:' iptables -L /etc/init.d/iptables save /etc/init.d/iptables start }
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
