Greetings and apologies in advance for not understanding how to use what has already been written on this subject.

I have a Win98 box on a private net 192.168.40.0/24 -- specifically, the box is 192.168.40.13.

The Internet is ADSL w/fixed IP (eg 64.xxx.yyy.zzz).

The Linux router box is running RedHat 7.3 (2.4.18) and I am using ipchains. I'm using chains rather than tables because chains is working for the things we're doing other than this one task. I worked so hard to get all that behaving that I'm afraid to mess with it. (I do plan to set up another box using tables and get it working with a test net, but I need to get this pcAnywhere going now to provide for a manager who will be confined to the home for a few weeks.)

eth0 IP 64.xxx.yyy.zzz NetMask 255.255.255.252

eth1 IP 192.168.40.1 NetMask 255.255.255.0

Win98 box running pcAnywhere HOST has IP 192.168.40.13

The pcAnywhere remote is a Win98 box on a cable system IP 24.aaa.bbb.ccc

Both pcAnywhere versions are 10.5 and are using the default ports of 5631 for tcp and 5632 for udp.

For what it's worth, the 64... IP REJECTS (by design) all tcp on port 23 except for the specific IP 24.aaa.bbb.ccc which can successfully telnet. So, we are able to get into the Linux router from the outside. The proposed host machine 192.168.40.13 is able to browse on the Internet and can ping the 24.aaa.bbb.ccc box.

I want to be able to use the pcAnywere box at 24.aaa.bbb.ccc to remotely control the host at 192.168.40.13 inside 64.xxx.yyy.zzz

Is it possible for someone to tell me how to do this without trying to convince me that iptables would be better or that I could use something that used to work with 2.2.10 or something like that that I don't have and won't run on my system?

I have indeed searched for an answer to this, and if someone has recently answered it, I surely didn't understand the answer.

--------------

There's always the modem !! :(

Well, I don't know ipchains that well, I use iptables...

The only other suggestion I have is to set up forward rules on the 64.xxx.yyy.zzz router that send those 2 ports to your 98 box.

Then your 24.xx.yy.zz machine would try to connect to the 64.xxx.yy.zzz machine, and automatically get the request sent to the 192.168 box..... are there limitations for pcanywhere as far as this goes?

Maybe you could have the 98 box initiate the connection, dial into it if need be, just to initiate the call the the other external address(24.xx.yy.zz)...just a thought.

One reason why I use iptables is it's stateful inspection... you could set up just one port to get forwarded and then any packets on any ports can get in and out with the ESTABLISHED/RELATED rules on the FORWARD chain.

You can check out my iptables script here (http://mychl717.com/linked/iptables) if you want.....

Good Luck

Read my comments from here:

http://linuxnewbie.org/forum/showthread.php?s=&threadid=66457

Move to iptables for the advamced features that you need to use.

Not only here at LNO, but everyplace I look, the answer to the pcA question is either "iptables" or one of the now obsolete 2.0 kernel tools that won't work with ipchains!!

Nobody gives an answer that strictly involves the use of "ipchains."

So, it seems I will go ahead and bite the proverbial bullet.

With fear and trembling deep inside, but with a mask of savoir-faire, he forges ahead into the realm of the [to him] unknown.

Thanks for what must be the right answer.

Chuck

It's very similar, you shouldn't have too difficult a time with it. If you need any help, you know where to come...

Good Luck....

OK, I did it -- I bit the bullet.

I took down the RedHat 7.3 and replaced it with my SuSE 8.0 which was running on another box in the same room (because the SuSE has a c_compiler and up-to-date ssh on it, and because I can't STAND RedHat's setup interface!)

Since I had never run CHAINS on the SuSE, I didn't have to take that down -- just did the rules in iptables.

mychl, I actually used your rules almost verbatim -- left out the things I'm not using like DNS and Samba

I typed all the commands in at the # prompt (like an idiot!)

But, once you get going, it isn't so bad (until you realize you made a mistake four lines ago and repeated it once, so you have to go back and -D twice and then -A twice fixing the mistake).

I walked in to this ole WinBox and pinged my DNS server, got a response and started IE and came here.

THANK YOU SO VERY MUCH, ALL!!!!!

I'm going to have a quick go at pcAnywhere, but I think a few sips of Gin may be called for in the event that doesn't do well, I'll worry about 5631/2 in the morning.

I've inherited another person who "needs" to telecompute, so I'll quickly have to play the port shuffle for real.

Sigh! I'm so happy I could just s___ (sit?) :) :) :)

Cool!

Good Job!

After using mychl's script (link above) to set up iptables on my linux 2.4.x system, I added the following lines by hand.

Note that the ip addy's have been disguised to avoid undue firewall testing ;)

To maintain consistency between the question I originally asked and the lines below, I am using the same disguises.


iptables -t nat -A PREROUTING -p tcp -i eth0 -s 24.aaa.bbb.ccc -d 64.xxx.yyy.zzz --dport 5631 -j DNAT --to-destination 192.168.40.13:5631

iptables -t nat -A PREROUTING -p udp -i eth0 -s 24.aaa.bbb.ccc -d 64.xxx.yyy.zzz --dport 5632 -j DNAT --to-destination 192.168.40.13:5632

iptables -A FORWARD -i eth0 -s 24.aaa.bbb.ccc -j ACCEPT

Then another user wanted the same access but to a different internal computer. So, I added the similar lines:

iptables -t nat -A PREROUTING -p tcp -i eth0 -s 64.ttt.uuu.vvv -d 64.xxx.yyy.zzz --dport 5631 -j DNAT --to-destination 192.168.40.20:5631

iptables -t nat -A PREROUTING -p udp -i eth0 -s 64.ttt.uuu.vvv -d 64.xxx.yyy.zzz --dport 5632 -j DNAT --to-destination 192.168.40.20:5632

iptables -A FORWARD -i eth0 -s 64.ttt.uuu.vvv -j ACCEPT

NOW, what is the advantage of doing it that way?? Well, the table is looking for a specific source to target relationship. The first person is coming from 24.aaa.bbb.ccc with a pcAnywhere (port 5631) packet and tables routes that to internal machine 13. The second person sends an IDENTICAL packet, but because the source IP is different, it gets routed to a different machine.

No messing around with ports for steering is necessary.

Now, IF I wanted 64.ttt.uuu.vvv to have a CHOICE of which machine he logged onto, then I would have to play with ports -- but I think what I would do is to leave the host machines alone and tell the REMOTE to target port 9631/2 and then my rules would look like this (I think -- have NOT tested this!!)

------------
UNTESTED

iptables -t nat -A PREROUTING -p tcp -i eth0 -s 64.ttt.uuu.vvv -d 64.xxx.yyy.zzz --dport 9631 -j DNAT --to-destination 192.168.40.17:5631

iptables -t nat -A PREROUTING -p udp -i eth0 -s 64.ttt.uuu.vvv -d 64.xxx.yyy.zzz --dport 9632 -j DNAT --to-destination 192.168.40.17:5632

UNTESTED
------------

Since I've already agreed to FORWARD anything that comes to eth0 from this guy's IP, I wouldn't have to repeat the third line.

The only question I have is about the third rule -- which probably ought to be the first rule and which probably would work in any position since it is part of a different table --

iptables -A FORWARD -i eth0 -s 64.ttt.uuu.vvv -j ACCEPT

By agreeing to FORWARD anything that comes to eth0 from this guy's IP, am I leaving the door too far open?? Would I be well advised to make that

iptables -A FORWARD -i eth0 -s 64.ttt.uuu.vvv --dport 5631:5632 -j ACCEPT

Or is it enough to say, "Look, if you're going to trust this guy to have access to your whole internal network, why would you need to worry about what port he's coming in on?"

C

I think that is a personal choice that you have to make.

Obviously you could give him the ability to access your network anyway he wanted... OR, only let him use PC Anywhere.

I think you should do what you feel better about.

Good job too, that was really well put and I'll use this thread as a link to others....

Thanks...

:p

Mychl --

I didn't know how good it was until I rebooted (thinking I had saved everything, but it hadn't saved anyplace that I could find it and iptables had no rules -- only policy of DROP. My plan didn't work :( )

So, I did something pretty cool -- I opened .bash_history with pico and saved it as .bash_history_tables after having deleted about 2000 lines before and after my typing session with your script to set up iptables.

I went to the RULES section of your script and did a Ctrl_R to import my /root/.bash_history_tables and customized the thing to pretty well suit me. Saved the whole thing as /etc/init.d/my_iptables

But, I had commented out things I didn't understand. So, when it got to the

;;
stop)

I would get an error message, but the rules DID load.

Well, THEN I realized that part of what I had commented out was the thing that allowed one to "restart" after making changes.

WOW! This is just too cool! :)

So, now I've got a symlink in rc3.d to /etc/init.d/my_iptables and I'll clean up the rest of the mess later.

I'm tired and need to go home -- wish I had typed the script instead of typing it in by hand, but the ability to fashion a script out of the bash-history was awesome.

Thanks again for the script -- I may come back and ask you a few questions about it now that I'm using it more properly.

Chuck

Great!

I love it when a plan comes together....

Well done.

:D

Originally posted by Cadillac84
After using mychl's script (link above) to set up iptables on my linux 2.4.x system, I added the following lines by hand.

Note that the ip addy's have been disguised to avoid undue firewall testing ;)

To maintain consistency between the question I originally asked and the lines below, I am using the same disguises.


iptables -t nat -A PREROUTING -p tcp -i eth0 -s 24.aaa.bbb.ccc -d 64.xxx.yyy.zzz --dport 5631 -j DNAT --to-destination 192.168.40.13:5631

iptables -t nat -A PREROUTING -p udp -i eth0 -s 24.aaa.bbb.ccc -d 64.xxx.yyy.zzz --dport 5632 -j DNAT --to-destination 192.168.40.13:5632

iptables -A FORWARD -i eth0 -s 24.aaa.bbb.ccc -j ACCEPT


I don't understand the reason to have a -s (source) -d (destination) and DNAT --to-destination.
I'm confused, source for me means the IP address trying to establish a connection. Destination is the Firewalls External interface and DNAT --to-destination is the PCanywhere host internal ip address, right?

What is I don't have a specific IP address as a source since different PC accross the net are going to connect to it. What do I enter as a source?

theses are the commands I did and still I connot connect to the PC running PCAnywhere as host, accepting connections on 192.168.1.10:

iptables -t nat -A PREROUTING -p tcp -i eth1 -s 0.0.0.0/0.0.0.0 -d 66.46.196.124 --dport 5631 -j DNAT --to-destination 192.168.1.10:5631

iptables -t nat -A PREROUTING -p udp -i eth1 -s 0.0.0.0/0.0.0.0 -d 66.46.196.124 --dport 5632 -j DNAT --to-destination 192.168.1.10:5632

iptables -A FORWARD -i eth1 -s 0.0.0.0/0.0.0.0 -j ACCEPT

What did I do wrong?

p.s.: ETH1 is my external interface.