Hi All, I have read what seems like thousands of documents on this subject, but I am still having problems and I need to ask the list for advice. My setup is a Red Hat 8 machine with 2 nics: 1. eth0 = public 2. eth1 = LAN My goals are very_simple: 1. Forward port 3389 to a machine on the LAN 2. Accept connections to port 22 on the firewall itself My issue is that I can not connect to either of these services from outside of the LAN, the connection simply times out. I am attaching my rules below for your review. I am happy to offer any information necessary for diagnosis of this issue that I may have left out. Thank you in advance, Mike ============================================RULES=========================== =============================== # Generated by iptables-save v1.2.6a on Sat Jun 14 17:19:36 2003 *mangle :PREROUTING ACCEPT [417:91635] :INPUT ACCEPT [66:10825] :FORWARD ACCEPT [240:44837] :OUTPUT ACCEPT [31:2464] :POSTROUTING ACCEPT [271:47301] -A PREROUTING -s 10.0.0.0/255.0.0.0 -j DROP -A PREROUTING -s 172.16.0.0/255.240.0.0 -j DROP COMMIT # Completed on Sat Jun 14 17:19:36 2003 # Generated by iptables-save v1.2.6a on Sat Jun 14 17:19:36 2003 *nat :PREROUTING ACCEPT [42104:7852987] :POSTROUTING ACCEPT [14:872] :OUTPUT ACCEPT [119:21092] -A PREROUTING -d 208.27.220.145 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.254:3389 -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j SNAT --to-source 208.27.220.145 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.254 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.1.1 COMMIT # Completed on Sat Jun 14 17:19:36 2003 # Generated by iptables-save v1.2.6a on Sat Jun 14 17:19:36 2003 *filter :INPUT DROP [8965:2743484] :FORWARD ACCEPT [236866:281837325] :OUTPUT ACCEPT [410:51373] :allowed - [0:0] :icmp_packets - [0:0] :tcp_packets - [0:0] -A INPUT -d 192.168.1.255 -i eth1 -j ACCEPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 192.168.1.1 -i lo -j ACCEPT -A INPUT -s 208.27.220.11 -i lo -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT -A INPUT -d 208.27.220.145 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-level 7 -A FORWARD -p icmp -j icmp_packets -A FORWARD -p tcp -j tcp_packets -A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A allowed -m state --state RELATED,ESTABLISHED -j ACCEPT -A allowed -p tcp -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 5 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW TCP PACKET" -A tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP COMMIT # Completed on Sat Jun 14 17:19:36 2003 ============================================END RULES========================================================
