Hi Edmund, > I am having some troubles figuring out how to get a remote > PCAnywhere station log onto a local pcanywhere station. [...] > Here's my attempt at a netfilter script for this: > > iptables -A INPUT -i eth0 -d 192.168.5.31 -p tcp --dport "5631:5632" -j > ACCEPT > iptables -A INPUT -i eth0 -d 192.168.5.31 -p udp --dport "5631:5632" -j > ACCEPT I think this is wrong. You need to put the rules in FORWARD, since having been DNAT'ed, the packet is no longer destined for the local host, and will be routed by the machine. The rules you need are: iptables -A FORWARD -i eth0 -d 192.168.5.31 -p tcp --dport "5631:5632" \ -j ACCEPT iptables -A FORWARD -i eth0 -d 192.168.5.31 -p udp --dport "5631:5632" \ -j ACCEPT In fact you can make this tighter as well, since pcAnywhere uses only UDP port 5632 and TCP port 5631: iptables -A FORWARD -i eth0 -d 192.168.5.31 -p tcp --dport 5631 -j ACCEPT iptables -A FORWARD -i eth0 -d 192.168.5.31 -p udp --dport 5632 -j ACCEPT > iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p tcp --dport > "5631:5632" -j DNAT --to 192.168.5.31 > iptables -t nat -A PREROUTING -i eth0 -d a.b.c.d -p udp --dport > "5631:5632" -j DNAT --to 192.168.5.31 These rules are correct, although you can tighten them up in the same way as above. > I actually got this off the net and am still trying to disect it. > Am I supposed to have Output, or just forward chains since in essence > I'm just forwarding the PCA packets to a different station? Just FORWARD. The packets will never go into INPUT nor will the replies go out of OUTPUT. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
