November 22, 2024, 09:13:14 AM

News : LinuxSolved.com Linux Help Community Forum..


Author Topic: lan Host exposing to internet:Forwarding internal IP to internet using iptables  (Read 7397 times)

Offline sunlinux

  • Tux Awared
  • **
  • Posts: 30
Hi, I have configured my adsl modem in Linux as ppp0, I am using NAT in linux to connect lan to internet.. ok fine.

Now, I want a lan server-192.168.2.3:22(ssh) to expose to internet directly, Pls guide me how can i do it.

I am pasting my nat confiuration:
------------------
INTIF="eth0"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling Kernal IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Flushing ip router through: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading Kernal server rules..."

# Clearing any existing rules and setting default policy
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Sm told me to do following :

/sbin/iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to $PORTFWIP:22
/sbin/iptables -A FORWARD -p TCP -s 0/0 --dport 22 -j ACCEPT


I did above n when I nmap the linux NAT(gateway) i get:

PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
29/tcp filtered msg-icp
67/tcp filtered dhcps
80/tcp open http
« Last Edit: December 14, 2007, 07:00:54 PM by Ricky »

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Well... you mean you want to target all ssh request ie. on port22 to be directed to internal 192.168.2.3 server ?

Offline sunlinux

  • Tux Awared
  • **
  • Posts: 30
absolutely...

Offline sunlinux

  • Tux Awared
  • **
  • Posts: 30
Thank you! I have solved my problem. of DMZ

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
I would like to see how you solved it !

Offline sunlinux

  • Tux Awared
  • **
  • Posts: 30
I just added following lines to my script file:

PORT=922
DMZ_IP=192.168.123.4
DMZ_IF=eth0

/sbin/iptables -A PREROUTING -t nat -p tcp --dport $PORT -i ppp0 -j DNAT --to $DMZ_IP:$PORT
/sbin/iptables -A FORWARD -p tcp -d $DMZ_IP --dport $PORT -i ppp0 -o $DMZ_IF -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s $DMZ_IP --sport $PORT -i $DMZ_IF -o ppp0 -j ACCEPT

n it worked...