iptables redirect port connection to different host:port
by mfoley from LinuxQuestions.org on (#6EMVA)
Our organization has a Sonicwall firewall which forwards certain ports to a LAN Linux host which does routing/port forwarding tasks via uptables. For several years the Sonicwall has forwarded e.g. port 1912 to this Linux host, named MAIL. The iptables config to accomplish that is:
Code:iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1912 -j DNAT --to-destination 192.168.0.62:3389
iptables -A FORWARD -i eth1 -d 192.168.0.62 -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.62 -p tcp --dport 3389 -j SNAT --to-source 192.168.0.2
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.62 -p tcp --dport 3389 -j SNAT --to-source 192.168.0.2This config was worked out with help from LQ experts years ago and I don't pretend to understand it all.
Now, I want to restrict forwarding from port 1912 to be enabled only from within the LAN. This does work from a LAN workstation:
Code:$ telnet mail 1912
Trying 192.168.0.2...
Connected to mail.
Escape character is '^]'.I deleted the port forwarding rules from the Sonicwall, but unfortunately, the following also still works from a remote computer:
Code:$ telnet mail.mydom.org 1912
Trying 1.2.3.4 ...
Connected to mail.mydom.org.
Escape character is '^]'.which tells me that the Sonicwall had nothing to do with it and 1912 requests were routing directly to the MAIL host all along!
Oh well, my question is, how to I modify these iptables rules to only allow this host: port to be accessed from within the LAN and disallow WAN connects?
Code:iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1912 -j DNAT --to-destination 192.168.0.62:3389
iptables -A FORWARD -i eth1 -d 192.168.0.62 -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.62 -p tcp --dport 3389 -j SNAT --to-source 192.168.0.2
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.62 -p tcp --dport 3389 -j SNAT --to-source 192.168.0.2This config was worked out with help from LQ experts years ago and I don't pretend to understand it all.
Now, I want to restrict forwarding from port 1912 to be enabled only from within the LAN. This does work from a LAN workstation:
Code:$ telnet mail 1912
Trying 192.168.0.2...
Connected to mail.
Escape character is '^]'.I deleted the port forwarding rules from the Sonicwall, but unfortunately, the following also still works from a remote computer:
Code:$ telnet mail.mydom.org 1912
Trying 1.2.3.4 ...
Connected to mail.mydom.org.
Escape character is '^]'.which tells me that the Sonicwall had nothing to do with it and 1912 requests were routing directly to the MAIL host all along!
Oh well, my question is, how to I modify these iptables rules to only allow this host: port to be accessed from within the LAN and disallow WAN connects?