use some other port number for ms term services with iptables

Hello,

I am trying to narrow access to my network. I currently am running
RedHat 3.0ES, and iptables.
I do the typical nat, and some forwarding, like for www, etc.

currently I have my system set up so I can access a windows xp computer
via term services (port 3389)
thru my firewall. I am currently using these lines which allow coming
in from any where.

********************************** from iptables script
************************
$IPT -A FORWARD -p tcp -s 0/0 -d $PCHOST2 --destination-port 3389 -j
LOG
# Terminal Server Rules
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to
$PCHOST2
$IPT -A FORWARD -p tcp -s 0/0 -d $PCHOST2 --destination-port 3389 --syn
-j ACCEPT

i can set the -s to a specific ip address, like this -s 133.23.111.2 -d
$PCHOST2 --destination-port 3389 --syn -j ACCEPT, this works.

I would like to use some other port number on the WAN side. like 3399
or whatever.
How would I set this so it passes thru port 3399 from the outside, to
the windows xp box with 3389??

I did try lines like this, but I could not get access
# Terminal Server Rules with ip and port number
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to
$PCHOST2
$IPT -A FORWARD -p tcp -s 133.23.111.2 --source-port 3399 -d $PCHOST2
--destination-port 3389 --syn -j ACCEPT

I must be missing something. Thanks for any help!

ewholz

In news:(E-Mail Removed) ups.com,
eholz1 <(E-Mail Removed)> wrote:
....

> i can set the -s to a specific ip address, like this -s 133.23.111.2
> -d $PCHOST2 --destination-port 3389 --syn -j ACCEPT, this works.
>
> I would like to use some other port number on the WAN side. like 3399
> or whatever.
> How would I set this so it passes thru port 3399 from the outside, to
> the windows xp box with 3389??

.... -j REDIRECT --to-ports 3389 ...

Hello,

eholz1 a écrit :
>
> $IPT -A FORWARD -p tcp -s 0/0 -d $PCHOST2 --destination-port 3389 -j LOG

Wow, you must have big log files.

> I would like to use some other port number on the WAN side. like 3399
> or whatever.
> How would I set this so it passes thru port 3399 from the outside, to
> the windows xp box with 3389??
>
> I did try lines like this, but I could not get access
> # Terminal Server Rules with ip and port number
> $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to
> $PCHOST2
> $IPT -A FORWARD -p tcp -s 133.23.111.2 --source-port 3399 -d $PCHOST2
> --destination-port 3389 --syn -j ACCEPT
>
> I must be missing something. Thanks for any help!

You must be missing the iptables manpage and the Netfilter NAT HOWTO,
and you confused the *source* port (random unprivileged port) with the
original *destination* port (3399). Don't change the original
FORWARD/ACCEPT rule and just modify the PREROUTING/DNAT rule :

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 3399 \
-j DNAT --to $PCHOST2:3389
$IPT -A FORWARD -p tcp -d $PCHOST2 --dport 3389 --syn -j ACCEPT

Personal opinion : this is security by obscurity.

On Fri, 22 Dec 2006 21:31:24 -0800, ynotssor wrote:

> In news:(E-Mail Removed) ups.com,
> eholz1 <(E-Mail Removed)> wrote:
> ...
>
>> i can set the -s to a specific ip address, like this -s 133.23.111.2
>> -d $PCHOST2 --destination-port 3389 --syn -j ACCEPT, this works.
>>
>> I would like to use some other port number on the WAN side. like 3399
>> or whatever.
>> How would I set this so it passes thru port 3399 from the outside, to
>> the windows xp box with 3389??
>
> ... -j REDIRECT --to-ports 3389 ...

REDIRECT is for redirecting ports on the machine itself, not forwarding
them onto another machine.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Bonjour Pascal,

merci pour votre comment - "securtiy by obscurity" - I like it!
Also thanks for the tip on "fixing" my iptables script. No matter what
I am missing!

Is there way to get the Microsoft VPN thru iptables??? i have tried a
few things, but have not had success with that as of yet. The MS VPN
is pretty bad anyway. I would like to set up a vpn connection (the
PIX vpn is so much better, but I do not have a pix anymore!) from my
windows xp box to the outside world.

below are the lines I thought i needed to get this to work:
# Attempt for MS VPN
$IPT -A FORWARD -i eth0 -p 47 -d $PCHOST2 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to
$PCHOST2:1723
$IPT -A FORWARD -p tcp -s 0/0 -d $PCHOST2 --destination-port 1723 -j
ACCEPT

thanks,

eric


Pascal Hambourg wrote:
> Hello,
>
> eholz1 a écrit :
> >
> > $IPT -A FORWARD -p tcp -s 0/0 -d $PCHOST2 --destination-port 3389 -j LOG
>
> Wow, you must have big log files.
>
> > I would like to use some other port number on the WAN side. like 3399
> > or whatever.
> > How would I set this so it passes thru port 3399 from the outside, to
> > the windows xp box with 3389??
> >
> > I did try lines like this, but I could not get access
> > # Terminal Server Rules with ip and port number
> > $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to
> > $PCHOST2
> > $IPT -A FORWARD -p tcp -s 133.23.111.2 --source-port 3399 -d $PCHOST2
> > --destination-port 3389 --syn -j ACCEPT
> >
> > I must be missing something. Thanks for any help!
>
> You must be missing the iptables manpage and the Netfilter NAT HOWTO,
> and you confused the *source* port (random unprivileged port) with the
> original *destination* port (3399). Don't change the original
> FORWARD/ACCEPT rule and just modify the PREROUTING/DNAT rule :
>
> $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 3399 \
> -j DNAT --to $PCHOST2:3389
> $IPT -A FORWARD -p tcp -d $PCHOST2 --dport 3389 --syn -j ACCEPT
>
> Personal opinion : this is security by obscurity.

eholz1 a écrit :
>
> Is there way to get the Microsoft VPN thru iptables???

There are two kinds of "Microsoft VPN", PPTP and L2TP/IPSec. From what
follows I guess you mean PPTP.

> i have tried a
> few things, but have not had success with that as of yet. The MS VPN
> is pretty bad anyway. I would like to set up a vpn connection (the
> PIX vpn is so much better, but I do not have a pix anymore!) from my
> windows xp box to the outside world.

You may have a look at OpenVPN, which is an SSL VPN over UDP.

> below are the lines I thought i needed to get this to work:
> # Attempt for MS VPN
> $IPT -A FORWARD -i eth0 -p 47 -d $PCHOST2 -j ACCEPT

Ok.

> $IPT -A INPUT -p tcp --dport 1723 -j ACCEPT

This is needed only if the PPTP server is the local host.

> $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to
> $PCHOST2:1723
> $IPT -A FORWARD -p tcp -s 0/0 -d $PCHOST2 --destination-port 1723 -j
> ACCEPT

Ok, but the rule DNAT'ing the GRE protocol (47) is missing.

Assuming the PPTP server IP address is $PCHOST2 :

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 \
-j DNAT --to $PCHOST2
$IPT -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to $PCHOST2
$IPT -A FORWARD -i eth0 -d $PCHOST2 -p tcp --dport 1723 -j ACCEPT
$IPT -A FORWARD -i eth0 -d $PCHOST2 -p 47 -j ACCEPT