Port Forwarding Using Iptables and Apf -Access internal network using public ip address

By | August 26, 2009

In an organistaion some times we need to expose some of the internal services to the outer world.If the System Administrator need to access the remote windows machine ,vnc etc .. from the outer network what we will do? Port forwarding is best option to bypass the gateway. Ensure the security setting while forwarding the port address.

Public ip address is configured on the gateway and is set as nat routing. Nat routing help internal users to access the outer world. Internal user request (eg ; http , ftp ,port address)will send to the gateway and from gateway it is send to ‘www’.

Outer world can only access the internal network using the help of System Administrator. He create wise routing rules on the gateway to make access to outer world with out compromising  security of the internal network, server, etc.. .

Here i am going explaining the port forwarding using iptable commands, expose an internal windows remote to outside gateway.

The command used to port forward the request from public to internal as follows,

# iptables -t nat -A PREROUTING -d <public ip of the gateway> -p tcp -m tcp –dport 9519 -j DNAT –to-destination 192.168.0.250:3389

This iptable rule is so set, that when some one Wan network ‘www’ request the microsoft remote desktop via <public ip>:9519 port, requested port is forwarded  to the internal windows machine remote desktop port, which is set on static ip address 192.168.0.250

The port number 3389 along with the 192.168.0.250 is the access port address of internal microsoft remote desktop machine. On the similar way we can also configure  other services.

In the case of vnc, configure the internal machine with a static ip address and vnc server. Start  vnc server service on the internal machine. By default port number of the vnc would be 5900.

# iptables -t nat -A PREROUTING -d <public ip of the gateway> -p tcp -m tcp –dport 9520 -j DNAT –to-destination 192.168.0.251:5900

This iptable rule will forward the vncviewer port request from the public ip address to the internal vnc server machine port.

Make sure to give a good secure password to prevent the machine from hacking.

Using Apf

1. Edit the file inside the apf installation directory,

# vi /etc/apf/preroute.rules

Add the same iptables rule into the file and reload the apf. Make changes to the iptables port forwarding rule according to your need.

2. Reload the apf to make the port forwarding rule to make effective.

# apf -r

Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More
Category: Linux

About Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More