Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    reaching RDP behind a firewall


    i want to reach a box that cant be reached from the outside. it is connected to the internet and can send data of course.
    i want WINDOWS-BOX to connect to RDP-BOX over KVM

    this is what my setup looks like:
    (sorry, cant post links yet. please copy and paste into your browser)

    what i trieed:
    eth0 -
    tun0 -

    iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 8888 -j DNAT --to-destination
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    sysctl -w net.ipv4.ip_forward=1

    eth0 - some official ipv4 address
    tun0 -

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8888 -j DNAT --to-destination
    sysctl -w net.ipv4.ip_forward=1

    if i do connect from the WINDOWS-BOX to the KVM-BOX ipv4 address i can see on the KVM-BOX:
    Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    1 52 DNAT tcp -- eth0 * tcp dpt:8888 to:

    and on the RDP-BOX
    Chain PREROUTING (policy ACCEPT 94 packets, 12908 bytes)
    pkts bytes target prot opt in out source destination
    3 152 DNAT tcp -- tun0 * tcp dpt:8888 to:

    #on RDP-BOX
    sudo tcpdump -i eth0 port 3389 #this does show NO traffic, shouldnt the rdp client packets go through here?
    Last edited by Havana_Cola; 09-03-2013 at 09:45 PM.

  2. #2
    Just Joined!
    Join Date
    Jun 2004
    North Hollywood, CA
    I would try baby steps to find the real issue. Can you ssh into the RDP box? The KVM box? Right now you are not getting packets through to the KVM box. Is there a firewall besides these two iptables somewhere? Most corporate firewalls won't allow RDP, or most protocols other than what is needed by the company, to get through. You just can't allow anyone who wants to have the ability to control internal systems from the outside without good reason. That would be a question for your security person. I've been at places where you had to connect to a proxy first, then to the boxes you want to hit, to control internal systems. Usually, only an IT person or an upper management type would be granted the rights to do all of this.

  3. #3
    i have to close this for know, somebody on #networking@freenode told me that it maybe problematic because my target and my testing system are in the same lan.
    for now a openvpn connection seems to work, i will come back to this in a few days to figure it out.

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts