iptables port forwarding


 
Thread Tools Search this Thread
Operating Systems Linux Red Hat iptables port forwarding
# 1  
Old 04-04-2018
iptables port forwarding

Hello All,
I would like to ask you very kindly with /etc/sysconfig/iptables file

I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated.

My boss require that there will not be any possibility of connection from private network to any remote network behind RHEL6 router

I am not able to DROP any traffic coming from private network.

I did setup port forwarding on router from public network to private network easily but I am not able to force router to drop any traffic coming from private network outside unless I break port forwarding.

here is example of my /etc/sysconfig/iptables file. Please help with line which would drop all outgoing traffic from private network but keep port forwarding working.

Code:
cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
-A INPUT -p all -j DROP
#
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 192.168.0.3:22
COMMIT

BTW: (ssh on router is running on port 2222)


Moderator's Comments:
Mod Comment Please use CODE tags as required by forum rules!

Last edited by RudiC; 04-04-2018 at 10:38 AM.. Reason: Added CODE tags.
# 2  
Old 04-04-2018
Without dwelling into configuration...

If you allow access from outside network to private network via ssh protocol, there is little you can do to stop tunneling around.

This might sound strange but have you considered not giving ssh access ?
Think about what your are doing and can it be done on a higher layer (HTTPS, FTPS) to expose one port and application behind, not ssh and shell.

Regards
Peasant.
# 3  
Old 04-04-2018
Hello Peasant,

Thank you very much for your answer.

I have no room for thinking what I am doing. This is direct order from my manager which I have to deliver. There is no room to ask questions etc.

I would like to ask you very kindly for a line which I can stick to /etc/sysconfig/iptables file so port forwarding will keep working but servers in private network will not be able to reach any other network.

Concerns with ssh tunneling etc is not my concern - I have to deliver only this isolated task.

Please help.
Thanks.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. IP Networking

Port Forwarding not working

Hello Gurus, I have configured port forwarding at router. But after configuration I am not able to connect the computer from outside/Over internet/Remote desktp from other computer. Could you please advice? Thanks- Pokhraj (2 Replies)
Discussion started by: pokhraj_d
2 Replies

2. UNIX for Advanced & Expert Users

Help on port forwarding please..

Hi experts, We have windows machine ( A ) in one network & 2 Linux Servers ( B & C ) in another network. There is a firewall between these 2 networks and SSH (TCP/22) & HTTPS (TCP/443) are allowed from A to B only (but not to C). There is no personal firewall / iptables running on any machine.... (1 Reply)
Discussion started by: magnus29
1 Replies

3. UNIX for Dummies Questions & Answers

Iptables, port forwarding, 64k connection limit?

I am having an issue with iptables. My server is a RHEL6 64bit system. In my application I have a large number of connected clients ~100k to a particular service. The application works fine when iptables is off, 100k clients are able to connect. However, when I turn iptables on and add a... (1 Reply)
Discussion started by: jtipp3tt
1 Replies

4. IP Networking

iptables port forwarding does not work while I have 2 routes

Hi, On my linux server I have 2 routes: Code: nexthop via 123.201.254.5 dev eth0 weight 38 nexthop via 111.93.155.149 dev eth2 weight 36 I have a iptable rule like : iptables -t nat -A PREROUTING -p tcp -i eth0 -d... (5 Replies)
Discussion started by: ashokvpp
5 Replies

5. UNIX for Advanced & Expert Users

Iptable and port forwarding

Hello, I have a routeur linksys (192.168.1.1 ) a firewall (192.168.1.55 IN ----> 192.168.2.254 OUT) which using iptable I want to acces to an equipment (lorex video camera serveur 192.168.2.44) which using an ddns service on the port 9000 So i don t know which redirection a will do on the... (2 Replies)
Discussion started by: tapharule
2 Replies

6. IP Networking

SSH Port Forwarding - sharing the same port

Hi Linux/Unix Guru, I am setting Linux Hopping Station to another different servers. My current config to connect to another servers is using different port to connect. e.g ssh -D 1080 -p 22 username@server1.com ssh -D 1081 -p 22 username@server2.com Now what I would like to have... (3 Replies)
Discussion started by: regmaster
3 Replies

7. Solaris

ip and port forwarding in Solaris 10

Hi; I have the following issue: I have a Solaris server running an old applications which connects to an http server in other server at certain port. The thing is that the http server has changed its ip and port and the addres in the app is hard coded and touching the app by now is out of the... (0 Replies)
Discussion started by: ppereira
0 Replies

8. UNIX for Advanced & Expert Users

Port forwarding

Hi I want to set up port forwarding from one network to another network. I already have this configured on the Linux box using iptables. iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 1521 -j DNAT --to 10.218.146.230 iptables -A FORWARD -p tcp -i eth1 -d 10.218.146.230 -j ACCEPT ... (2 Replies)
Discussion started by: slash_blog
2 Replies

9. UNIX for Advanced & Expert Users

port forwarding

Hi, I have to install an application that has a built in tftp server. Tftp comes in on port 69. As i am not installing this application as a root user i am running into trouble because only the root user can listen to ports < 1024. So changing the port i listen to to one greater than 1023 isn't... (1 Reply)
Discussion started by: imloaded24_7
1 Replies

10. UNIX for Dummies Questions & Answers

iptables: forwarding a port

I've been googling for a while now, trying to forward port 3000 to port 80.... In the past I used to DLink router to forward port 3000 to 80. I recently finished (well, is it ever done anyhow?) setting up my linux box and got it acting as a router. I want to continue to run Apache on port 80... (1 Reply)
Discussion started by: meeps
1 Replies
Login or Register to Ask a Question