Problems forwarding port 3389

Kenneth Burgener kenneth at uvlug.org
Tue Mar 22 20:10:59 MST 2005 

I am having issues getting port 3389 to forward to a machine behind my
Linux firewall/routing machine.  It is forwarding port 80 and 8080 fine,
but 3389 does not forward.  I have attached the NAT/iptables script below.

I am able to connect from the firewall/routing machine:

llama:~# telnet 192.168.0.117 3389
Trying 192.168.0.117...
Connected to 192.168.0.117.
Escape character is '^]'.

But when I connect from an external machine:

kenneth at debian:~$ telnet xxx.xxx.xxx.xxx 3389
Trying xxx.xxx.xxx.xxx...
telnet: Unable to connect to remote host: Connection refused

Any suggestions?


Thanks,
Kenneth
kenneth at uvlug.org





----------------

#!/bin/sh
# IP Tables NAT Script


## BEGIN CONFIGURATION OF SCRIPT


EXTERNAL_IP="xxx.xxx.xxx.xxx"
EXTERNAL_ETH="eth2"
INTERNAL_ETH="eth1"

# IP address, ports and protocols of services accessible by the public.
# Use "protocol:public-port:private-ip:private-port" with a space
between each entry.
SERVICES="tcp:80:192.168.0.117:80 tcp:8017:192.168.0.117:3389
udp:8017:192.168.0.117:3389 tcp:8080:192.168.0.117:8080"


## END CONFIGURATION OF SCRIPT



echo "Clearing out the IP tables..."

# Getting the chains ready for our rules.  We are taking a strict approach.
#iptables -P INPUT      DROP    # Set default to DROP
#iptables -P OUTPUT     DROP    # Set default to DROP
#iptables -P FORWARD    DROP    # Set default to DROP
iptables -P INPUT       ACCEPT
iptables -P OUTPUT      ACCEPT
iptables -P FORWARD     ACCEPT
iptables -F                     # Flush existing chains
iptables -X                     # Delete existing chains

# Prepping the tables...
for TABLE in filter nat mangle; do
   iptables -t $TABLE -F         # Delete the table's rules
   iptables -t $TABLE -X         # Delete the table's chains
   iptables -t $TABLE -Z         # Zero the table's counters
done


echo "Setting up NAT-ing for public services..."

for SERVICE in $SERVICES; do
   # Grab the different parts of the service.
   PROTOCOL=`echo $SERVICE | cut -d ":" -f 1`
   ORIG_PORT=`echo $SERVICE | cut -d ":" -f 2`
   NEW_IP=`echo $SERVICE | cut -d ":" -f 3`
   NEW_PORT=`echo $SERVICE | cut -d ":" -f 4`

   echo "$PROTOCOL traffic headed to $EXTERNAL_IP:$ORIG_PORT now going
to $NEW_IP:$NEW_PORT..."

   # Add a few rules that allow outside traffic to be DNATed to the
public server.
   iptables -t nat -A PREROUTING -i $EXTERNAL_ETH -d $EXTERNAL_IP -p
$PROTOCOL --dport $ORIG_PORT -j DNAT --to $NEW_IP:$NEW_PORT
   iptables -A FORWARD -i $EXTERNAL_ETH -p $PROTOCOL --dport $NEW_PORT
-d $NEW_IP -j ACCEPT

   # Add a few rules that allow inside traffic to be SNATed to the
public server.
   iptables -t nat -A POSTROUTING -d $EXTERNAL_IP -p $PROTOCOL --dport
$ORIG_PORT -j SNAT --to $NEW_IP:$NEW_PORT
   iptables -A FORWARD -i ! $EXTERNAL_ETH -d $NEW_IP -p $PROTOCOL
--dport $NEW_PORT -j ACCEPT
done

echo "Enabling NAT..."

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface $EXTERNAL_ETH
-j MASQUERADE
iptables --append FORWARD --in-interface $INTERNAL_ETH -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward          # Enables packet
forwarding by kernel

More information about the PLUG mailing list