RE: iptables and redirection traffic from one PC to another
Hi,
Now my firewall looks like this:
sudo iptables -F
sudo iptables -P INPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 81 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.0.10:80
I've found that if the FORWARD "-a" default policy is to accept everything I don't have to use the second rule. I think that the problem is that my Raspberry is not mine router so the PC is responding directrly to the router which in turns don't know what to do. Is there a way to make iptables make my PC responding to it and then to the router - some IP level proxy etc.?
--
Best regards,
Aleksander Kurczyk
________________________________
> Date: Fri, 14 Feb 2014 14:58:04 +0100
> Subject: Re: iptables and redirection traffic from one PC to another
> From: fernando.vicios@gmail.com
> CC: debian-user@lists.debian.org
> To: debian-user@lists.debian.org
>
>
> I think you miss accept input traffic from port 81.
>
> You can add logging messages or run tcpdump to see what traffic are dropped.
>
> Regards. Fernando.
>
> El 14/02/2014 14:44, "Aleksander Kurczyk"
> <akurczyk@outlook.com<mailto:akurczyk@outlook.com>> escribió:
> Hello,
>
> This is my firewall script:
>
> sudo iptables -F
> sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> sudo iptables -A INPUT -i lo -j ACCEPT
> sudo iptables -A INPUT -s 192.168.0.0/24<http://192.168.0.0/24> -j ACCEPT
> sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT
> sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> sudo iptables -A INPUT -j DROP
> sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to
> 192.168.1.2:80<http://192.168.1.2:80>
> sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT
> sudo iptables -L
>
> I want to run it on Raspbian which is behind my home router. I
> forwarded the whole incoming traffic from my router to the RPI using
> the DMZ function (NAT 1:1).
>
> The "-A INPUT" part of the script works! :) I can access only 22005 and
> 80 from the Internet and every other port on the LAN subnet and lo
> interface. The thing is that the port forwarding part isn't working :(
>
> sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to
> 192.168.1.2:80<http://192.168.1.2:80>
> sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT
>
> I want to redirect the 81 port of my RPI to my home PC's 80 port (web
> serwer). I found this in Google.
>
> Of course I also enabled IPv4 forwarding in sysclt:
>
> sudo sysctl -w net.ipv4.ip_forward=1
>
> And am I dropping the packets correctly or should I use default policy
> instead? This way is simpler to understand. Is there something that I
> am doing wrong in this script?
>
> --
> Best regards,
> Aleksander Kurczyk
>
> --
> To UNSUBSCRIBE, email to
> debian-user-REQUEST@lists.debian.org<mailto:debian-user-REQUEST@lists.debian.org>
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org<mailto:listmaster@lists.debian.org>
> Archive:
> DUB125-W47A470A9D5966F19A1CF9CDA9C0@phx.gbl">http://lists.debian.org/DUB125-W47A470A9D5966F19A1CF9CDA9C0@phx.gbl<http://lists.debian.org/DUB125-W47A470A9D5966F19A1CF9CDA9C0%40phx.gbl>
>
Reply to: