I have a Linux machine and a Windows machine behind a router that implements NAT (the diagram might be overkill, but was fun to make):
I am forwarding RDP port (3389) on the router to the Linux machine because I want to audit RDP connections. For the Linux machine to forward RDP traffic, I wrote these iptables rules:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination win-box
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
The port is listening on the Windows machine:
C:\Users\nimmy>netstat -a
Active Connections
Proto Local Address Foreign Address State
(..snip..)
TCP 0.0.0.0:3389 WIN-BOX:0 LISTENING
(..snip..)
And the port is forwarding on the Linux machine:
# tcpdump port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:33:11.451663 IP shieldsup.grc.com.56387 > linux-box.myapt.lan.ms-wbt-server: Flags [S], seq 94663035, win 8192, options [mss 1460], length 0
01:33:11.451846 IP shieldsup.grc.com.56387 > win-box.myapt.lan.ms-wbt-server: Flags [S], seq 94663035, win 8192, options [mss 1460], length 0
However, I am not getting any successful RDP connections from the outside. The port is not even responding:
C:\Users\outside-nimmy>telnet example.com 3389
Connecting To example.com...Could not open connection to the host, on port 3389: Connect failed
Any ideas?
Update
Per @Zhiqiang Ma, I looked at nf_conntrack
proc file during a connection attempt and this is what I see (192.168.3.1 = linux-box, 192.168.3.5 = win-box):
# cat /proc/net/nf_conntrack | grep 3389
ipv4 2 tcp 6 118 SYN_SENT src=4.79.142.206 dst=192.168.3.1 sport=43142 dport=3389 packets=6 bytes=264 [UNREPLIED] src=192.168.3.5 dst=4.79.142.206 sport=3389 dport=43142 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
2nd update
Got tcpdump
on the router and it seems that win-box is sending an RST packet:
21:20:24.767792 IP shieldsup.grc.com.45349 > linux-box.myapt.lan.3389: S 19088743:19088743(0) win 8192 <mss 1460>
21:20:24.768038 IP shieldsup.grc.com.45349 > win-box.myapt.lan.3389: S 19088743:19088743(0) win 8192 <mss 1460>
21:20:24.770674 IP win-box.myapt.lan.3389 > shieldsup.grc.com.45349: R 721745706:721745706(0) ack 755785049 win 0
Why would Windows be doing this?
Best Answer
Add port in iptables rules?:
I am not very sure it's the reason. But I usually do it in this way: http://www.systutorials.com/816/port-forwarding-using-iptables/
You can all try flush the tables first: iptables -t nat -F; iptables -F and then add these two rules in case other rules in your iptables block the connection.
You may also
and see the content there. Each forwarding connection has entries there.
Note: MASQUERADE is required as well if the outbound route from windows does not by default pass through the
iptables
box; see comments below ( you may need to unhide).