Need an IPTABLES expert

Discussion in 'Cisco/Linksys Wireless Routers' started by stefor, Apr 18, 2005.

  1. stefor

    stefor Network Guru Member

    Hi everybody,
    I need some IPTABLES expert, I have started to read the documentation but it needs time to fully understand it.
    Here is my challenge:
    I have a WRT54GS which is my ADSL router and firewall. Its IP address is
    I need to access remotely from internet a server which is inside the LAN which have the following IP address : using terminal services on RDP port 3389 (I am not sure if it is TCP or UDP, let say both). That means that on that server there is Terminal services service running that is listening connections on port 3389.
    The thing I initiate the connection from my work office (which have a FW + NAT and a public address which is let say and I do not want to open my server to other IP address different than my work office address.
    Furthermore I would like to forward the port from port 8080 from the outside to port 3389 on the server just to keep confusing the entrance.

    So to summurize, I want to:
    1- translate the incoming requests from internet which has a destination port 8080 (UDP and TCP) of my router to
    2- restrict this port usage only to my work office IP address (let say All requests comming from other IP address might be dropped.

    Is there anybody who can help me for the respective iptables command lines ?
  2. Guyfromhe

    Guyfromhe Network Guru Member

    well since no one is replying to this hopefully this will get you started:

    to add a nat route you can use this:

    iptables -t nat -I PREROUTING -s $workip -p tcp -d $PUBLIC_IP --dport $PUBLIC_PT -j DNAT --to-destination $PRIVAT_IP:$PRIVAT_PT

    iptables -t nat -I POSTROUTING -p tcp -d $workip -s $PRIVAT_IP --sport $PRIVAT_PT -j SNAT --to-source $PUBLIC_IP:$PUBLIC_PT

    iptables -t nat -I PREROUTING -p udp -s $workip -d $PUBLIC_IP --dport $PUBLIC_PT -j DNAT --to-destination $PRIVAT_IP:$PRIVAT_PT

    iptables -t nat -I POSTROUTING -p udp -d $workip -s $PRIVAT_IP --sport $PRIVAT_PT -j SNAT --to-source $PUBLIC_IP:$PUBLIC_PT

    that should do it, i can't really try it right now but theoretically that should work, i'll get back to you in 6 or 7 hours if that doesn't work...
  3. jagboy

    jagboy Network Guru Member

    see if you could consult fwbuilder. i think they have a forum
  4. stefor

    stefor Network Guru Member

    Sounds nice.
    I do not have toto test it right now (I got to go to work :( ) but I will try that this evening.

    Thanks for your help
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice