Ubuntu Port Forwarding

[deanej]

I'm the network administer at my college's TV station (WCKN). All of our network is regulated by an Ubuntu 10.04 server (NOT a router), and all traffic goes through that computer (I have no idea why my predecessor set it up this way instead of just getting a router). I need remote desktop access to one of the internal computers (running Windows XP) so our shows can be updated during breaks. I had set it up with iptables port forwarding (which I don't understand at all but was able to get through Google), but recently it stopped working for reasons unknown. I can connect via remote desktop just fine from within the station network using the IP address but I cannot connect from outside using the server's IP address with the port, even though this used to be possible (nor can I connect using the computer's fully qualified domain name, phoenix.wckn.com), so I have to believe that the issue is with iptables.

Unfortunately I know nothing of the network configuration and everyone else in the station who isn't an idiot when it comes to technology graduated last year. I don't even know how to figure out why this isn't working. Any ideas?

If anyone has ideas on how to accomplish this without iptables I'd love to hear it. My predecessor installed VNC on that computer but I don't know anything about how to use it.

[MorphingDragon]

Would it be too much to ask for a iptables rules printout? (Or whatever wrapper Ubuntu uses now, can't remember)

You could PM me if you don't want to post them on the public forum.

If you wanted a quick fix now you could try team viewer?

[deanej]

I assume you mean iptables --list? I don't really know that much about it.

This is all that's there:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/23 anywhere
ACCEPT all -- anywhere 192.168.0.0/23

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This is the rule that I keep trying to re-introduce: iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.0.100

I don't get errors, but it doesn't take either. It used to work. And no, I don't have a clue what any of that syntax means. I just found it with google, and a lot of hair pulling when what I found didn't work right away.

Needless to say, I hate iptables. I never thought I'd say this, but it's worse than selinux.

[PatMcLJr]

dunno,
if you are using ubuntu and I guess debian
have look at ufw

[MorphingDragon]

Quote:

Originally Posted by deanej

I assume you mean iptables --list? I don't really know that much about it.

This is all that's there:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/23 anywhere
ACCEPT all -- anywhere 192.168.0.0/23

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This is the rule that I keep trying to re-introduce: iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.0.100

I don't get errors, but it doesn't take either. It used to work. And no, I don't have a clue what any of that syntax means. I just found it with google, and a lot of hair pulling when what I found didn't work right away.

Needless to say, I hate iptables. I never thought I'd say this, but it's worse than selinux.

SELinux and iptables are fine when you learn how to use them. They are tools to achieve an outcome.

To do port forwarding you need two commands.

First command

Code:

/sbin/iptables -t nat -A PREROUTING -p tcp -i <NETWORK INERFACE> -d <GATEWAY IP ADDRESS>
		 --dport <EXTERNAL PORT> -j DNAT --to <DESTINATION IP ADDRESS>:<DESTINATION PORT>

What this does is it sets up iptables to do port forwarding but doesn't still allow access.

Second Command

Code:

/sbin/iptables -A FORWARD -p tcp -i <NETWORK INTERFACE> -d <DESTINATION IP ADDRESS> --dport <DESTINATION PORT> -j ACCEPT

YOu also need to remember to save the the rules so they persist.

Code:

/etc/init.d/iptables save

[deanej]

I admit I don't understand anything about what those commands are doing, which is probably why they didn't work for me at all. Didn't bother to save since they didn't work. In particular, what should I have put in for <GATEWAY IP ADDRESS>?

As for selinux and iptables being fine - in order to make any sense of them you need to be intimately familiar with how your programs work in order to use them. Who knows that? I certainly don't. They're certainly well beyond the knowledge scope of someone who grew up with a Windows GUI believing that a command line was just some old piece of technology that nobody used anymore.