iptables for port forwarding

iptables for port forwarding

[Nick]

Hi,

I want to do something relatively simple, but have not been able to
figure out from the manual or playing with it how to achieve what I
want.

I have a server which I can only connect to via port 80, due to a
firewall.  I want to connect to VNC on the server, and connect to it
via a VNC client my laptop.  VNC server only wants to run on port 5900.
 I'm not running an HTTP server on 80, so no prob there.  I want to
forward packets  coming into the server on port 80 to the VNC on 5900.

I tried doing this:
/sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT 
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
--to 127.0.0.1:5900 

But the VNC client hangs for a while before timing out when I try to
connect to it.

Ideas on how to achieve the desired result?

Thanks,

Nick


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

Re: iptables for port forwarding

[Gavin Hamill]

On Tuesday 30 November 2004 00:51, Nick wrote:
> Hi,
>

> I have a server which I can only connect to via port 80, due to a
> firewall.  I want to connect to VNC on the server, and connect to it
> via a VNC client my laptop.  VNC server only wants to run on port 5900.
>  I'm not running an HTTP server on 80, so no prob there.  I want to
> forward packets  coming into the server on port 80 to the VNC on 5900.


Take a step back and work from first principles... can you telnet to port 80 
on the server from your laptop?

You should see something like this...

gdh:~# telnet 1.2.3.4 80
Trying 1.2.3.4...
Connected to myhost.mydomain.com
Escape character is '^]'.
RFB 003.003

If you don't see that 'RFB' message then something else is wrong.. if you do 
see it, then can I ask how you're telling the VNC client to use port 80?

You can't simply tell it to connect to "1.2.3.4:80" because this will try to 
connect to port 5980...

Cheers,
Gavin.

Re: iptables for port forwarding

[John Lash]

> I tried doing this:
> /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT 
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
> --to 127.0.0.1:5900 
> 
> But the VNC client hangs for a while before timing out when I try to
> connect to it.
> 
> Ideas on how to achieve the desired result?
> 
> Thanks,
> 
> Nick
> 

I suspect that you won't be able to redirect to 127.x.x.x. Check out this
thread:
	https://lists.netfilter.org/pipermail/netfilter/2002-November/040104.html

He comes to the conclusion that you can't redirect packets to localhost because
the kernel refuses to route a packet from an external ip to a destination on the
127.x.x.x network. I haven't yet verified that in the code but it sounds
reasonable enough.

I played with something similar for a while and was also unsuccessful. Needless
to say, if you find a way to do this, short of hacking the routing code, please
post back. Seems to be a fairly common wish.

The usual way to forward the port to localhost is to use ssh. There are many
references to that on the net.

--john

Re: iptables for port forwarding

[Jason Opperisano]

On Mon, Nov 29, 2004 at 04:51:54PM -0800, Nick wrote:
> Hi,
> 
> I want to do something relatively simple, but have not been able to
> figure out from the manual or playing with it how to achieve what I
> want.
> 
> I have a server which I can only connect to via port 80, due to a
> firewall.  I want to connect to VNC on the server, and connect to it
> via a VNC client my laptop.  VNC server only wants to run on port 5900.
>  I'm not running an HTTP server on 80, so no prob there.  I want to
> forward packets  coming into the server on port 80 to the VNC on 5900.
> 
> I tried doing this:
> /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT 

you're changing the dport to 5900 in NAT PREROUTING--your filter rule
should reflect that fact.

> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
> --to 127.0.0.1:5900 

you can't DNAT to 127.0.0.1--search the list archives for the nearly
8000 messages on this topic.

> But the VNC client hangs for a while before timing out when I try to
> connect to it.
> 
> Ideas on how to achieve the desired result?

  # redirect tcp 80 -> 5900
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
    -j REDIRECT --to-port 5900

  # allow stateful replies
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  # allow connections to tcp 5900
  iptables -A INPUT -i eth0 -p tcp --syn --dport 5900 -j ACCEPT

you then need to tell your VNC client to connect to:

  $SERVERIP:-5820

the port number is calculated by:  5900 + DISPLAY_NUMBER

to get it to connect to port 80:  5900 + (-)5820 = 80

-j

--
"Okay, retrace your steps. Woke up, fought with Marge, ate Guatemalan
 insanity peppers, then I... Oh..."
        --The Simpsons