paultwang Posted May 11, 2005 Posted May 11, 2005 I am new to linux and I am already ambitious on what I want it to do I want to accomplish the following with port forwarding and firewall in linux. I don't know if either is feasible with iptables. Ideas? Option (1): Accept tcp port 3389 from IPmask1/Subnet1 Accept tcp port 3389 from IPmask2/Subnet2 Deny tcp port 3389 from anyone else TCP Port forward from 0.0.0.0:3389 to 192.168.2.11:3389 Option 1 limits the accepted hosts to reduce possible break-in. Option (2): If <username> has an active ssh session, accept tcp port 3389 from <username>'s ssh client IP address, deny from anyone else, activate tcp port forwarding from 0.0.0.0:3389 to 192.168.2.11:3389 Option 2 has a similar effect of ssh tunneling except it is not encrypted in option 2. Quote
TweezerMan Posted May 12, 2005 Posted May 12, 2005 Option 1 look possible, but I don't see how you could implement option 2 using just iptables firewall rules - the firewall would not be aware of the username, nor whether they had an active SSH session or not. Assuming you have IP masquearading (NAT) configured correctly in your firewall, I believe you could use rules like the following: >iptables -t nat -A PREROUTING -i eth0 -p tcp -s {IPmask1/Subnet1} --dport 3389 -j DNAT --to 192.168.2.11:3389 iptables -t nat -A PREROUTING -i eth0 -p tcp -s {IPmask2/Subnet2} --dport 3389 -j DNAT --to 192.168.2.11:3389 Normally, you'd have a default action of DENY in your ruleset, so that should deny connections from other IP addresses. It's been a long time since I've messed around with Linux and iptables. I don't have a box to test the above on and my iptables knowledge is very rusty, so I don't know if the above is correct or if I'm missing anything. You might search Google and see if there's anything there that could help you as well. Since you are new to Linux and iptables, I'd highly recommend that you install and use an iptables firewall application (a couple I know of are Firestarter and Guarddog), so you don't inadvertantly leave your machine wide open while you're learning iptables. Hope this helps... Quote
idallen Posted May 16, 2005 Posted May 16, 2005 Paul - you've posted your solutions but not the problem you're trying to solve. Are you trying to open up a port-forward from a particular IP address, based on whether that IP address has an SSH connection to your machine? If so, yes, you can do that: . When your user logs in to your machine, have their login script . set up the iptables rule to permit the port forwarding; or, have . them execute something that has the same effect. The real trick is getting the rule to go away again when the user logs out or the connection drops. Depending on how important this is, you can use some combination of a nested shell, a logout profile, or a CRON job that looks for this user being logged in and removes the iptables rule when no login is found or when the user's idle time goes above some number. Quote
paultwang Posted May 19, 2005 Author Posted May 19, 2005 (edited) Problem: I want to enable remote desktop and/or other applications. However, tunnelling through SSH is too slow due to encryption overhead. Forwarding the ports without restrictions opens too big a hole. Edited May 19, 2005 by paultwang Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.