Jump to content

Recommended Posts

I am new to linux and I am already ambitious on what I want it to do :surrender:


I want to accomplish the following with port forwarding and firewall in linux. I don't know if either is feasible with iptables. Ideas?


Option (1):

Accept tcp port 3389 from IPmask1/Subnet1

Accept tcp port 3389 from IPmask2/Subnet2

Deny tcp port 3389 from anyone else

TCP Port forward from to


Option 1 limits the accepted hosts to reduce possible break-in.


Option (2):

If <username> has an active ssh session,

accept tcp port 3389 from <username>'s ssh client IP address,

deny from anyone else,

activate tcp port forwarding from to


Option 2 has a similar effect of ssh tunneling except it is not encrypted in option 2.

Link to post
Share on other sites

Option 1 look possible, but I don't see how you could implement option 2 using just iptables firewall rules - the firewall would not be aware of the username, nor whether they had an active SSH session or not.


Assuming you have IP masquearading (NAT) configured correctly in your firewall, I believe you could use rules like the following:

>iptables -t nat -A PREROUTING -i eth0 -p tcp -s {IPmask1/Subnet1} --dport 3389 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp -s {IPmask2/Subnet2} --dport 3389 -j DNAT --to

Normally, you'd have a default action of DENY in your ruleset, so that should deny connections from other IP addresses.


It's been a long time since I've messed around with Linux and iptables. I don't have a box to test the above on and my iptables knowledge is very rusty, so I don't know if the above is correct or if I'm missing anything. You might search Google and see if there's anything there that could help you as well.


Since you are new to Linux and iptables, I'd highly recommend that you install and use an iptables firewall application (a couple I know of are Firestarter and Guarddog), so you don't inadvertantly leave your machine wide open while you're learning iptables.


Hope this helps...

Link to post
Share on other sites

Paul - you've posted your solutions but not the problem you're trying

to solve. Are you trying to open up a port-forward from a particular

IP address, based on whether that IP address has an SSH connection to

your machine? If so, yes, you can do that:


. When your user logs in to your machine, have their login script

. set up the iptables rule to permit the port forwarding; or, have

. them execute something that has the same effect.


The real trick is getting the rule to go away again when the user logs

out or the connection drops. Depending on how important this is, you

can use some combination of a nested shell, a logout profile, or a CRON

job that looks for this user being logged in and removes the iptables

rule when no login is found or when the user's idle time goes above

some number.

Link to post
Share on other sites



I want to enable remote desktop and/or other applications. However, tunnelling through SSH is too slow due to encryption overhead. Forwarding the ports without restrictions opens too big a hole.

Edited by paultwang
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...