[wplug] iptables, port forwarding and vnc.
James O'Kane
jo2y at midnightlinux.com
Wed Mar 3 22:03:14 EST 2004
On Wed, 3 Mar 2004, John Harrold wrote:
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d $PSERVER --dport 5800 -j DNAT --to-destination $WINDOWS:5800
> $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d $WINDOWS --dport 5800 -m state --state NEW -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d $PSERVER --dport 5900 -j DNAT --to-destination $WINDOWS:5900
> $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d $WINDOWS --dport 5900 -m state --state NEW -j ACCEPT
I'm assuming you have something that allows ESTABLISHED connections?
You probably need matching POSTROUTING SNAT lines for the return packets.
As they are now, the return packets will have $WINDOWS IP and port, or
will be MASQUERADE'd to a non-matching port for this connection.
I've not had a chance to look at it, but I've heard REDIRECT is a poorly
chosen word, but it probably does what you want, with less rules to
manage.
-james
More information about the wplug
mailing list