1

I can't find an answered question for this problem.

I have about 7 ranges of IP address i would like to allow to RDP(port 3389) to a a server within my network.

My main router uses iptables and i cant seem to figure out what the right combination is ...

this is the closest i've gotten which doesnt seem to work

iptables -t filter -l FORWARD -d 192.168.x.xx -p tcp -m iprange --src-range xx.xxx.xxx.100-xxx.xxx.xxx.200 --dport 3389 -j ACCEPT

What is the correct way of doing this...

UPDATE:

I have found a solution to the problem. Please see answer below for my solution

Mike Pengelly
  • 201

1 Answers1

0

So this is the definitive answer i was looking for.

You first need to set NAT (prerouting) rule to redirect the traffic to the correct server/computer. Done like this...

iptables -t nat -A PREROUTING -p tcp -s yy.yy.yy.0/24 --dport 3389 -j DNAT --to-destination 192.168.1.xx:3389

Then you need a Filter (FORWARD) Rule to allow the traffic to flow to the destination like this... 

iptables -t filter -I FORWARD -s yy.yy.yy.0/24 -d 192.168.1.xx -p tcp --dport 3389 -j ACCEPT

Note:

yy.yy.yy.0/24 is the IP block you would like to allow ... See https://www.aelius.com/njh/subnet_sheet.html for help with subnets.

192.168.1.xx is the destination server in your local LAN.

Mike Pengelly
  • 201
  • Ipset make whitelisting and blacklisting much easier especially for large number of up addresses. – rjt Jul 01 '16 at 04:08