Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
X
X
xsash2017-06-27 18:13:13
iptables
xsash, 2017-06-27 18:13:13

How to forward RDP port through NAT using iptables?

Good day, either my knowledge is scarce and limited, or one of the two ... You
need to forward the RDP port through NAT. I use rinetd - everything is simple and works, but the source is being replaced, in the logs instead of the client ip the gateway ip is indicated. I was tormented with iptables - I scoured the network, I don’t understand ..
Original iptables

#!/bin/bash

# LAN interface
IF0="eth0"
# WAN interface 1
IF1="eth1"

# IP WAN interface 1
IP1="110.120.130.205"

# gateway 1
P1="110.120.130.254"

# LAN netmask
P0_NET="10.0.0.0/24"
# WAN1 netmask
P1_NET="110.120.130.0/24"

####################

# Очищаем правила
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -t nat -X
iptables -t mangle -X

# Запрещаем все, что не разрешено
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Разрешаем localhost и локалку
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $IF0 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o $IF0 -j ACCEPT

# Разрешаем пинги
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Разрешаем все исходящие подключения сервера
iptables -A OUTPUT -o $IF1 -j ACCEPT

# Разрешаем установленные подключения
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

# Отбрасываем неопознанные пакеты
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

# Отбрасываем нулевые пакеты
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Закрываемся от syn-flood атак
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# Разрешаем доступ из локалки наружу
iptables -A FORWARD -i $IF0 -o $IF1 -j ACCEPT

# Закрываем доступ снаружи в локалку
iptables -A FORWARD -i $IF1 -o $IF0 -j REJECT

# Переадресация 80 и 443 портов на прозрачный сквид
iptables -t nat -A PREROUTING -p tcp -m tcp -s 10.0.0.0/24 --dport 443 -j REDIRECT --to-ports 3443
iptables -t nat -A PREROUTING -p tcp -m multiport -s 10.0.0.0/24 --dports 80,81,82,88,1080,3127,3128,7900,8000,8080,8081,8088,8123,8888,9090 -j REDIRECT --to-ports 3080

# Включаем NAT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s $P0_NET -o $IF1 -j MASQUERADE

# Открываем порты
iptables -A INPUT -i $IF1 -p tcp --dport 55555 -j ACCEPT
iptables -A INPUT -i $IF1 -p tcp --dport 55554 -j ACCEPT

iptables -A INPUT -i $IF0 -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -i $IF0 -p udp --dport 123 -j ACCEPT

# Открываем доступ к web серверу
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# Сохраняем правила
/sbin/iptables-save  > /etc/iptables.rules
iptables-restore < /etc/iptables.rules

Tried
iptables -t nat -A PREROUTING -p tcp -m tcp -d 110.120.130.205 --dport 55554 -j DNAT --to-destination 10.0.0.10:3389
iptables -t nat -A POSTROUTING -p tcp -m tcp -d 10.0.0.10 --sport 3389 -j SNAT --to-source 110.120.130.205:55554

iptables -t nat -A PREROUTING -d 110.120.130.205 -p tcp --dport 3389 -j DNAT --to-destination 10.0.0.10:3389
iptables -t filter -A FORWARD -m state --state NEW -p tcp --dport 3389 -j ACCEPT

In no case took off

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
M
mureevms, 2017-06-27
@mureevms

You do not have an allow rule for transit packets arriving on the external interface. Those. if the default policy for the FORWARD chain is DROP, then you must explicitly add ACCEPT to each forwarded port, similar to how it was done in the INPUT chain. I don’t want to copy-paste, read my note , written specifically for such a case.

Report
R
Ruslan, 2020-01-09
@msHack

There is an easier way
Yggdrasil is an analogue of hamachi with open source only better with it you can create game servers for nat, host sites for nat, host ftp for nat, use rdp from behind nat, Yggdrasil works with any program that supports ipv6 ipv4
Download here https ://yggdrasil-network.github.io/installation.html
nodes here https://github.com/yggdrasil-network/public-peers/...
Installation Create a folder yggdrasil throw it in c:\Program Files download tap- install windows-9.9.2_3 then download yggdrasil-0.3.12-windows-amd64.exe itself, rename it to yggdrasil and drop it into the yggdrasil folder,
create a configuration file with the command
"C:\Program Files\Yggdrasil\yggdrasil.exe" -genconf > "C:\Program Files\Yggdrasil\yggdrasil.conf" add Peers
nodes to config
: [
tcp://abcd:xxxxx
socks://efgh:xxxxx /abcd:xxxxx
tls://abcd:xxxxx
]
run yggdrasil
"C:\Program Files\Yggdrasil\yggdrasil.exe" -useconffile "C:\Program Files\Yggdrasil\yggdrasil.conf"
Video https://www.youtube .com/watch?v=Hp1O-4fZbOE&t=94s

Similar questions
V
Vitaly2016-07-21 19:56:03
Is it possible to use the hex-string pattern in IPtables? 1Reply
G
Gennady2016-08-01 12:34:32
What ports need to be opened in iptables in order for Bittorrent to work on local PCs? 0Reply
V
vetash2014-07-18 20:32:09
How to force packets to pass from vlan 1 to vlan X? 2Reply
S
Shing2014-07-20 17:46:06
Are these duplicates in iptables (fail2ban) or not? 1Reply
D
Dmitriy Loginov2019-01-11 14:38:48
Correct iptables rule? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question