On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote:
> Quoting Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx>:
>
> > Humm, that should be relatively simple:
> >
> > iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT
>
> You probably want to use INPUT chain of filter table for this:
>
> iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
>
> If INPUT chain of filter table has default policy set to DROP, putting
> an ACCEPT
> target into PREROUTING chain of nat table isn't going to let the packet go
> through the firewall.
Alright, I figured I would try a simple proof of concept with this.
Without setting any policies to drop, meaning all the chains are wide
open (all ACCEPT) I wanted to try and do VNC through the port forward.
So I started with this:
#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Ran this:
iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4
-j ACCEPT
Ended up with this:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.192.24 10.10.60.4 tcp dpt:5900
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Now shouldn't I be able to run the VNC client from my machine
192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it
forward the VNC request to 10.10.60.4?
Yes, communication does work between 192.168.192 and 10.10.60 subnets.
Thanks,
James
