On Tue, 8 Jun 2010 12:17:06 +0800 Nelson <[email protected]> wrote:
> On Tue, Jun 8, 2010 at 12:11 PM, Scott Hamer <[email protected]> > wrote: > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > > I've already this on my top of my script > > > > > > Default policies: Drop any incoming packets > > accept the rest. > > iptables -P INPUT DROP > > iptables -P OUTPUT ACCEPT > > iptables -P FORWARD ACCEP > > > > Masquerading will make machines from the LAN > > look like if they were the router > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > Do not allow new or invalid connections to reach your internal > > network iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j > > DROP > > > > > > Accept any connections from the local machine and lan > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A INPUT -i eth1 -j ACCEPT > > > > > > only accept from a certain ports > > iptables -A INPUT -i $WAN -p tcp -m tcp --dport 22 -j ACCEPT > > > > > My ssh listen on other port e.g. 3500 > > > > > > Accept related and established connections > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > > > > The actual iptables rules you want: iptables -t nat -A PREROUTING -p tcp -i eth0 -d n.n.n.n --dport 8022 -j DNAT --to 192.168.0.2:3500 iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 3500 -j ACCEPT 'eth0' is your WAN interface, and n.n.n.n is your WAN address. 8022 is the internet-facing port you want to listen on (this can be 3500, too), 192.168.0.2 is the destination computer.
signature.asc
Description: PGP signature
